Question

Prevent access to load balancer through IP address

I have a managed Digital Ocean load balancer which works well directing traffic between two droplets.

However if I access the IP address in the browser like this: https://xx.xxx.xx.xxx/ I receive an nginx 404 error and SSL cert warning.

This has been raised on a security audit. I want to disallow any access to the load balancer through the IP address and only allow access through the domain.

Any ideas would be appreciated. Many thanks, Matthew


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
July 10, 2023

Heya,

You may consider setting up your DNS records so that your website can only be accessed via the domain name. This configuration deploys the Domain Name System (DNS) to resolve your site’s domain name to the IP address of your load balancer, hence rendering direct IP access non-permissible.

Please do note that this might not entirely prevent someone from bypassing DNS and directly accessing your site via the IP, however, they will encounter the SSL warning because the SSL certificate is issued for your domain and not for your IP address.

You can find more details about setting up DNS here: DigitalOcean DNS Documentation

I hope that this helps!

Bobby Iliev
Site Moderator
Site Moderator badge
July 6, 2023

Hi Matthew,

Currently you can’t restrict the direct access to the IP address of your load balancer directly, but in this case, you can do that on the Droplet level by configuring your application or web server (NGINX in this case) to only respond to requests made to the domain name, and to ignore any requests made directly to the IP address.

Here is an example of how you can do this in NGINX:

server {
    listen 80 default_server;
    server_name _;
    return 444;
}

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    # the rest of your configuration goes here
}

The first server block listens for requests without a Host header or with a Host header which doesn’t match any other server blocks. It responds to such requests with a 444 status code, which tells NGINX to close the connection immediately.

The second server block listens for requests that are made to yourdomain.com or www.yourdomain.com. It will handle these requests according to the configuration specified in that block.

You can do the same thing for port 443 as well:

server {
    listen 443 ssl default_server;
    server_name _;
    ssl_certificate /etc/ssl/certs/dummy.crt;
    ssl_certificate_key /etc/ssl/private/dummy.key;
    return 444;
}

server {
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;
    ssl_certificate /etc/ssl/certs/yourdomain.crt;
    ssl_certificate_key /etc/ssl/private/yourdomain.key;
    # the rest of your configuration goes here
}

Let me know how it goes!

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel