How to forbid direct IP visit to discourse?


#1

If just only discourse installed on a server, and expose 80 to host, how to forbid direct IP visit to discourse?

If someone visit the direct ip address, how to make it return 500 error.

like:

server {
listen 80 default;
server name _;
return 500;
}

If the nginx/conf.d/discourse.conf in the docker changed, is it permanent?

@codinghorror
@sam


(Sam Saffron) #2

look at our ssl template it demonstrates how to make a replace rule in pups that amends nginx config.


#3

where, in the docker?

but when I add ‘return 500’ in the docker nginx configure file, it shows error either visit IP or domain name.

How to do?


(Lee_Ars) #4

Why do you want to return a 500 error and not a 403 forbidden?

If you control the firewall this server is behind, dropping the offending IP address there might be easier. Or, you could use iptables on the server itself and drop the IP addresses there without having to bother with Discourse’s configuration—just add a rule onto the input chain, substituting the address or CIDR range you want to block in place of “1.2.3.4”:

iptables -A INPUT -s 1.2.3.4 -j DROP

IMO, if you’re not going to use Discourse’s built-in IP address blacklisting, it’s better to do this kind of thing outside of the Discourse docker container. You get more control and you don’t have to screw with the base DIscourse configuration in ways that might conflict with the DIscourse team’s future developments.


(Sam Saffron) #5

host header needs to be parsed though, so its not doable in iptables.


(Lee_Ars) #6

I prefer the nuclear option! “No more Discourse! NO MORE ANY WEB SITES AT ALL!”