Hi there,
the goal is to make razuna only “visible” to nginx, but not to the “world”. That means:
http://mydomain.tld:8080/razuna is the initial url after installation
http://mydomain.tld/razuna is provided by nginx.
How to make http://mydomain.tld:8080/razuna (with port 8080, from tomcat) inaccessible for direct (browser) calls?
Please see our wiki.razuna.com for the answer to this.
Couldn’t find anything useful regarding that issue - that’s why I’m asking.
Use a firewall to restrict access to other ports than 80
I built 2 scripts to achieve that:
Block port 8080 from outside, but keep local connections through (so nginx can request) - “YOURIPHERE” means your ip to outside, e.g. 1.2.3.4
iptables -A INPUT -s YOURIPHERE -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j DROP
Unblock port 8080:
iptables -D INPUT -s YOURIPHERE -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -D INPUT -s 127.0.0.1 -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -D INPUT -p tcp -m tcp --dport 8080 -j DROP
If you want to allow more hosts to connect to 8080, just add lines with the corresponding IP or netmask at the beginning! The line
iptables -D INPUT -p tcp -m tcp --dport 8080 -j DROP
must be the last one in your script!