Prevent Unauthorized Domains from Pointing to Our Discourse Instance

Support
1

We are running a Discourse instance on our server, but we’ve encountered an issue where anyone can take our server’s public IP and create an A record on their own domain, effectively pointing their domain to our forum.

We want to ensure that only our authorized domain can be used to access the forum and prevent unauthorized domains from working.

What are the recommended ways to enforce domain restrictions in Discourse? Is there a configuration, Nginx setting, or other method to achieve this?

Any guidance would be appreciated.

1 Like
2

Are you using a standard install? By default discourse redirects to the hostname.

4 Likes
4

How would that play any roll? OP suggests now that everyone can mess up practically every web services in the world.

Never mind. That’s why we have to configure hosts for web services. Everywhere, everytime, including Discourse.

So, such hijacking is useless, because right service, web server what ever will answer anyway.

1 Like
5

Thanks @Jagster and @pfaffman - I am working with @Abdelrahman_MoHamed on this.

For my own understanding, if this is our discourse domain:

forum.get.it which points to → 34.170.141.119

And someone sets up, lets say…

hijack.get.it and points it to → 34.170.141.119

The expected behavior is that when someone types in:

hijack.get.it it will redirect to forum.get.it

Is that correct?

6

Yes. That’s the expected behavior and it appears to be the actual behavior. As far as I can tell you don’t have a problem. And most browsers will default to https: and https://hijackeddomain.com will generate a certificate error.

1 Like
7

Yes, but nothing happens. Totally same thing that you have right now someone knocking using ssh, bots etc.

If you set up such site/forum then yes they would send visitors who would see what ever you started using that domain. But they can’t hijack your domain, because you are telling to world wich nameserver that domain uses and to what IP it is pointing. And there is web server letting visitors in, if they are requesting such site you are configured for that domain. If request domain doesn’t get anything then doors stay closed.

1 Like
8

I understand that was just an example, but that spesific situation is impossible, because you own domain get.it and its nameservers dont know such DNS that would point to hijack.get.it` :smirk:

1 Like
9

Yes, @Jagster is right. If you own get.it (btw, wow, $$$$$) someone else cannot use your domain just with another subdomain.

1 Like