How to disable direct https://ipaddress visit?

doudou · September 9, 2016, 10:06am

see title.
How to prohibit https://ipaddress visit the website or using http://ip:443?
How to configure in the docker nginx?

jomaxro · September 9, 2016, 11:57am

I can’t answer how, but I want to ask why?

doudou · September 9, 2016, 12:52pm

the reason is let all traffic go through the name server. you can only just visit from the domain name.

mpalmer · September 9, 2016, 2:34pm

Step 1: get a valid certificate for your IP address.

doudou · September 9, 2016, 4:27pm

ssl was installed. https://mydomain.com can be visited. but https://myip can also be visited with the warning of certification. how to prohibit ip visition？

Falco · September 9, 2016, 4:28pm

Did you try this?

doudou · September 9, 2016, 4:42pm

yes，you got my point. what i mean is how to set up in discourse docker nginx，need rebuild？

Falco · September 9, 2016, 4:46pm

Modifing nginx conf inside the container is done trough the app.yml file.

For an example, see here.

mpalmer · September 9, 2016, 10:42pm

That’s why step 1 is:

That won’t work on HTTPS sites, because all the redirection, hostname checking, etc happens after the SSL negotiation is complete.

riking · September 9, 2016, 11:30pm

Wait, they want to NOT let people visit with just the IP.

Which is a little odd - exactly what harm is this doing, @doudou?

doudou · September 10, 2016, 1:18am

just for prohibition. can this be done in system setting，like firewall？

mpalmer · September 10, 2016, 1:35am

You can’t do what you want to do using a firewall. In order to do what you want to achieve, you must first get a valid, trusted certificate for your server’s IP address. Until you have that, nothing else can be done. Talk to your preferred CA to organise that.

doudou · September 10, 2016, 2:09am

i just want when people visit the website via https://serverip he will get an internal 500 page or nothing at all and cant go on by clicking trust the certification. so i am seaching for the solution on nginx or firewall. any sugguestion？

mpalmer · September 10, 2016, 2:10am

It can’t be done unless you have a valid, trusted cert for your IP address. This is why I keep telling you to get a valid, trusted certificate for your server’s IP address.

elijah · September 10, 2016, 3:30am

Nah, I think @doudou here would be happy if, after they clicked past the bad cert warning, then they got the 500 page.

So a 99-year self-signed cert for the IP address would be fine.

One of many how-to guides for that: http://www.cyberciti.biz/faq/nginx-self-signed-certificate-tutorial-on-centos-redhat-linux/

doudou · September 10, 2016, 4:06am

this could not be intergreted with domain name and with discourse using self sign and public CA

elijah · September 10, 2016, 6:48am

With SNI, you can have multiple certificates. During the SSL negotiation the browser tells the server what name it is trying to reach, and the server returns the appropriate cert. The link I provided appeared to have instructions for SNI under nginx. Your regular site could use your regular cert.

Topic		Replies	Views
How to forbid direct IP visit to discourse? installation	5	1257	April 21, 2015
Using Docker, stop server from responding to IP address (instead of hostname) installation	0	329	March 10, 2023
How to disable access to anyone not coming from a specific IP address installation	9	1768	May 13, 2019
Forcing access to Discourse via domain name only installation	4	861	October 5, 2017
Setting a custom IP doesn't work? installation unsupported-install	14	599	September 7, 2023

How to disable direct https://ipaddress visit?

Related Topics