Open proxy warning from DigitalOcean Topic is solved

[SCelik]

Hi,

I've recently had a warning from DigitalOcean about my Vesta server.

Hi there,

During a recent review of our IP Space, we detected what appears to be a potentially open proxy on one or more IPs in use by your account. Open proxies are often used by malicious entities to SPAM, commit fraud, and engage in other illegal activities while attempting to mask their original location.

Here's the IP address in question:

x.x.x.x

To replicate our tests and check to see if your server is currently a potentially open proxy, see:
https://www.digitalocean.com/community/ ... open-proxy

Do i have to block port 8080?

While waiting for firewall module, do you suggest iptables rules for quick fix this issue?

Thanks...

[SCelik]

Is it ok with this rule?

iptables -A INPUT -p tcp --dport 8080 -j DROP

Does this rule breake anything?

Edit: It breakes everything. :(

[demlasjr]

Is it ok with this rule?

iptables -A INPUT -p tcp --dport 8080 -j DROP

Does this rule breake anything?

Edit: It breakes everything. :(

You can try something like:

iptables -A INPUT ! -s 127.0.0.1 -p tcp -m tcp --dport 8080 -j DROP

This will block 8080 from external access, but will leave it for localhost (nginx need to read from that port, if you close it, nginx will have no access.

[imperio]

8080
this port for apache (backend)

[SCelik]

Thank you demlasjr,

But it didn't worked becouse of vesta's apache config.

Vesta configures apache with external ip. So i changed 127.0.0.1 with server's ip and i think it's ok now.

It is good idea for vesta to listen 127.0.0.1 on apache?

[demlasjr]

Thank you demlasjr,

But it didn't worked becouse of vesta's apache config.

Vesta configures apache with external ip. So i changed 127.0.0.1 with server's ip and i think it's ok now.

It is good idea for vesta to listen 127.0.0.1 on apache?

I forgot that Apache is configured with external ip. I'm using CSF as firewall and it blocked that port automatically.

What do you mean with "vesta listening 127.0.0.1 on apache"? If you refer to listening on external ip or directly on localhost, there is no difference. Of course...normally the firewall doesn't affect localhost (you can't block localhost port from localhost). Otherwise you need to always use the firewall and take care not to block the ports you need.

[SCelik]

Normally on Nginx + Apache configurations, nginx listens on port 80 with external ip and apache listens on port 8080 with localhost.

So you don't need to block any connection on port 8080 because it listens only from 127.0.0.1

For example: https://www.digitalocean.com/community/ ... for-apache

On vesta, apache and nginx both are configured to listen on external ip. So the connection from nginx to apache is not going on loopback interface as you can see from logs.

I changed your rule from 127.0.0.1 to my servers external ip and it worked. (because the source ip for nginx -> apache connection is not on loopback interface)

And for a feature request, i suggest that next releases apache configs can be set to listen on 127.0.0.1

[demlasjr]

I don't know if you can't access domain.com:8080. There are servers which let you access website bypassing nginx by adding 8080 to the link. I haven't tried with VestaCP, because I already set the firewall before