I'm trying to host a website but in the same time mask my real ip address, I did some researching and found something called Reverse Proxy, I'm not sure if this is what i'm needing so i'll give an example to what i need. For example.com goes to my website but if they do ping example.com i want they don't see my real ip address for security reasons, Is this what a reverse proxy does? will it mask my real ip.
http://upload.wikimedia.org/wikipedia/commons/thumb/6/67/Reverse_proxy_h2g2bob.svg/2000px-Reverse_proxy_h2g2bob.svg.png
It's a little unclear what you are asking for, but, assuming example.com has IP A, and your "real" web server has IP B, then a proxy running on IP A could definitely hide (and protect) all direct access to IP B. From the picture you linked to, the Proxy would be IP A, and the Web Server is IP B.
Now, without other protection (e.g. firewall or a private internal network), there's nothing inherently that protects either IP's from ping's or direct access.
Related
I've just begun the setup of proxmox for our none profit educational VPS service. However, the problem we're facing is a lack of IPv4 addresses available to us.
Is it possible to route a sub-domain to the host servers IP address and then get that forwarded to the individual containers accordingly. For example:
SSH root#node-123.w-a-s-d.me
Will allow a client with the VM ID of 123 to access their server
And the same goes for things like: node-123.w-a-s-d.me
This would be the web address allowing any applications running on port 80 for that specific node
I'm unsure how to go about this and have looked online with no luck. I hope our goal is clear. I look forward to hearing from you. Josh
Exposing SSH that way will not be easy as you can only have one thing listening on port 22 for every given IP address, and while you could just adding random ports to each VPS and the forward it from primary box which holds public IP (and vms are behind nat) this is not exactly the best solution.
What you may want to do instead is set up one public-facing box that people can ssh into via public IP and from it SSH to subsequent private machines by their internal IP. Alternatively you can set that box with openVPN and set it to assign internal IP address to anyone connecting via it. While openVPN takes more time to set up right, it can come with it's own DNS so when connected to it calling out SSH root#node-123.w-a-s-d.me will automatically route you to the private IP address rather than the shared public facing one.
With HTTP this is much easier as you can set up a proxy on the front-facing machines which then proxies requests for given sub domain to specific internal IP address.
I have a piece of code where an external API needs to access my "www" folder for images. When I load the url, "http://localhost:8001/images/1.jpg" from the browser, it does show the image. But when I access it through the code it says, "connection refused". I have turned off the firewall as well. I also tried using the IP address instead of the "localhost".That doesn't work either. Please help.
Remember the domain name localhost has a special meaning. It always means this PC, or more accurately this network cards loopback address.
I cannot access your PC from here using the domain name localhost, as it will always be looped back to my PC.
If you want an external site to make a call to your PC then there are a number of things you will have to do.
Buy yourself an domain name, you either buy a real one or use a Dynamic DNS service like dyndns.com or or noip.com
Or you use your routers WAN ip address.
Then you must amend the httpd.conf file so that Apache allows access
from all ipaddress's
Then you must Port Forward your Router so the the NAT firewall allows
external accesses on port 80 to be forwarded to the internal PC
running Apache, and only that PC.
And possibly amend your software firewall on the Apache PC to allow access from external sources on port 80
Okay, so we implement Recaptcha in production. We get errors because it can't reach the IP address it needs to use the service. We open a port for the IP address to reach Google. No problem. We do that and configure that IP address explicitly to work. It works great. Then, the next day, we start getting errors again because Recaptcha is using a different IP address. I can allow requests from that IP address, too, but now I'm unsettled. Where are these addresses coming from? How do I configure this to work reliably?
Recatpcha from Google can use any Google IP address and there are lots of them.
Ran this from Windows:
_netblocks.google.com text =
nslookup -type=TXT _netblocks.google.com
"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
That's all the network Google uses currently. These can change so check them often.
Google suggest allowing port 80 to all IPs outbound, this highly insecure. They recommend going through a proxy server but again that is highly insecure if your web server is an DMZ. Proxy aware trojans do exist. All that need to be done is exploit a vulnerability to execute arbitrary code and you can create reverse connection on port 80 through a proxy server to download the payload. Then it is trivial to escalate privileges and own the box. I don't mean just Windows servers but Linux as well. I've done it in lab environment on security was on. It's really easy to do.
This is the Google website I got this from:
http://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha
I wanted to append to this answer with more recent information. The documentation that Chris is pointing to does not include all of the TXT records necessary to dig (thanks Google):
_netblocks2.google.com (IPv6 subnets)
_netblocks3.google.com (Additional IPv4 subnets)
In my particular case, the _netblocks3 entry contained 2 large /19's that made my initial rule ineffective
(I found additional references here: https://support.google.com/a/answer/60764?hl=en)
Perhaps you should be using a hostname rather than IP
When I say,
1000 domains are hosted on the same server.
Does it means that 1000 domains are hosted on the same IP address?
Yes. You configure the server software to correlate the host name to the right service files. This applies to FTP/WWW, etc.
A server can host either virtually by use of the same IP address with different host headers (example.com, sample.com, sub.sample.com), through the use of multiple IPs bound to the server, or a combination of both.
So to answer your question, no, having 1000 domains hosted on the same IP address doesn't mean that they have the same IP address. However, it is possible given the configuration of the sites.
Normally, yes.
There is nothing stopping you from installing another NIC and having another IP address on the machine, but typically, 1000 domains hosted on the same server will be accessible using the same IP address.
Web servers use the host header to determine which site to load when many sites are configured to use the same IP address.
It's possible, with name based virtual hosting, a feature introduced in HTTP 1.1. It causes some problems with really old (corporate) proxies that pretend to only speak HTTP 1.0 and there are SSL related issues, so in general it's not the optimum solution.
I tried putting my IP from whatismyip.com in the urlbase of Bugzilla but it did not work. I wasn't able to create a new account for my team mate, and he wasnt able to access the server by typing the my ip address in his browse. And surely, when I connect again, my IP address will change. Do we have to buy a www address to host Bugzilla?
You can setup a dynamic dns service, for example via http://www.dyndns.com or http://www.no-ip.com or http://freedns.afraid.org to solve the changing ip problem without buying a domain (or buying a domain as well, but it's not a requirement).
But the real problem is that your team mate cannot access the server via the current IP address which points to either a misconfiguration of the webserver (listening only on localhost?), to a firewall in between, or most likely, that port forwarding isn't set up in your router for requests coming to your external IP address to be forwarded to the machine where you have Bugzilla set up. Additionally, you must set the urlbase to your local IP address, not to the external IP address, as blak3r says.
Check http://www.portforward.com for instructions on how to do port forwarding. But don't forget that everything mentioned has to be working:
Web server listening to outside requests: This can be tested from the same internal network via the local network IP address (what you see typing in a command line console ipconfig in Windows and ifconfig in Linux). If you can connect from a different machine on the same network via the local IP address, this is solved.
Firewalls (in router and the webserver machine) accepting connections to the web server port: For firewalls in the web server, the same test as above covers it.
Port forwarding so the router forwards the requests received on the web server port to the web server machine: This gets tested in the same way as firewalls in the router, that is, you must have your friend (or yourself from the house of your friend) try to connect to the dyn dns name set up or to the external IP as reported by whatsmyip.org.
This is all assuming your test mate is not on your same network, if he is, just using the local IP address (shown via ipconfig or ifconfig) instead of the external IP address and making sure the first step is covered (web server listening to outside requests) should be enough and nothing else is needed!
You most likely do not have your port 80 forwarded to your machine which is the reason he cannot connect when using the IP that was returned from whatismyip.com.
Assuming you're on a windows box... do
Start->Run->cmd then type
ipconfig
If your address starts with 192...* or 10...* this is your Local Area Network (LAN) IP. If this is the case, then your isp provided you with a router. Look for a setting called port forwarding or "application setting" which allows you to forward all incoming traffic on your router to a particular IP address. Go into your router's configuration settings and make sure port 80 (and maybe 443 if you're using ssl are forwarded to your local ip).
The other problem you mentioned is you do not have a static IP. This is a common problem and no you do not need to buy an address. There are several sites which can provide you a free dynamic dns host. Try no-ip.org.