Question 97897 in Nginx Question posted in
The official documentation can be found here.

Jelastic – Restrict direct access to a container behind a load balancer – Nginx

I’m using Jelastic with two environments, one for my frontend and one for my backend.

Each environment has a Nginx load balancer with an IPv4, then an application server. For the backend (api), the application server is Spring-boot and for the frontend, it is Node.js

However, I have added IPv4 on each of my application servers to have direct access with my deployment scripts.

The concern now is that if I go directly through these IPs and no longer through the respective load balancers, I can still access my application but the connection is not secure.

I tried to close the incoming ports 80/443 on the application servers, but it doesn’t change anything, I still access with the IP.

Here is an image that quickly summarizes the problem (the ip used are not real):
enter image description here

Thank you for your help

EDIT :

enter image description here

Tags:

2

Answers


  1. 0

    You can restrict access to your spring-boot by configuring the firewall to allow only access from your load balancer.
    You can follow that documentation.

    Login or Signup to reply.
  2. 0

    This behaviour is caused by the nat table PREROUTING chain that pushes traffic from port 80 to 8080 on your Spring Boot node.

    This is configured by default by Jelastic for you (so you don’t need to do anything to get your application (on port 8080) accessible to the internet, but it means there’s a "hidden" part of the firewall rules that actually look like this on the server level:

    # iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

    So by the time that your traffic reaches the filter table INPUT chain (which is what you see within the Jelastic dashboard UI, and is processed after nat PREROUTING), your traffic is actually on port 8080 – even if your browser request was on port 80 (or even 443, with SSL offload by the LB node).

    To get your desired behaviour, you need to set appropriate rule conditions for port 8080.

    You need to vary the action based on Source:

    • allow requests to 8080 from your load balancer node
    • deny from everywhere else

    (use the priority to make sure the load balancer ALLOW is above the global DENY)!

    Example:

    Jelastic dashboard firewall rules screen, showing a Spring Boot node with priority 900 ALLOW for all traffic from Load Balancer source, and priority 1030 Allow App Port (HTTP) port 8080 traffic All sources DENY

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search