best way to block all requests?

i wanna block all requests if someone tries to access my server with the ip address directly. and if possible, i wanna completely hide the server... people shouldn't even know that it exists in that ip address...

what's the best way of doing that? deny all returns 403, that's not what i want... returning 444 works for port 80 but not for 443, you can still see that there's a server and you can even see the ssl certificate.(i'm using a dummy cert that i generated for a throwaway domain to hide my actual domain rn)

also, is returning 444 as safe as deny all? is there a disadvantage?

4 thoughts on “best way to block all requests?”

  1. First things first, understand the limitations of what you can do. The internet works by IP address. Your domain name is translated to an IP address, so under the hood, that’s what is getting used. You will never be able to hide the presence of port 80 or 443 being open on the same IP you use with a domain. Nginx can only tell what hostname was used to access the server by inspecting the `Host` header sent by the client after the connection is established.

    Now as for what you CAN do, within nginx config, you can set up different server blocks, and one of them can set the `server_name ;` to respond to requests that use the IP address directly.

    A 403 response code is probably the correct response to send.

    The reason 444 isn’t working with TLS is because nginx doesn’t begin processing the request and cannot read the `Host` header until after the TLS connection has already been set up using the configured certificate. The TCP and TLS session gets set up, then nginx begins the process of serving content. You can’t respond to the request before the connection is negotiated, and nginx doesn’t know what `Host` header was used.

    edit: Through the magic of SNI, nginx actually allows hanging up on SSL connections now! [see this config option](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_reject_handshake)

    Reply
  2. Posted this in reply to another thread on here.

    default.conf

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 default_server;
    listen [::]:443 default_server;
    ssl_reject_handshake on;

    return 444;
    }

    ssl\_reject\_handshake (available in nginx 1.19.4+) makes visiting https://SERVERIP inaccessible without throwing SSL errors, while 444 instructs NGINX to send no data via http or https via direct IP access. Then I have my regular confs for my website/subdomains.

    As for hiding your server completely, you could try to proxy it..I have my website running on VPS 51.161.1xx.xxx but proxied through another VPS 51.161.2XX.XX, my original IP is never shown (from basic testing.. i’m not an expert so it may show some how, but for an average user, it’s hard to find original IP)

    Reply

Leave a Comment