Disable browser access to server IP address

Question

I have a server that I can access in browser through the domain name (secured with SSL) and the server IP address.

I would like to disable access with the server ip address:
http://123.45.678.901/ and https://123.45.678.901/

How can I do that ?

score 1 · Accepted Answer · edited May 23 '17 at 12:16

OK found the complete solution here via htaccess file and 2 rules :

RULE 1: Redirect all requests to secure HTTPS access (including ip request http://123.45.678.901 )

RewriteCond %{HTTPS} !on
RewriteRule (.*) https://domain.com/$1 [L,R=301,QSA]

RULE 2: If the domain or subdomain is not exactly domain.com redirect to bare domain (mandatory to catch https://123.45.678.901/any-page for example)
Using redirect all wildcard subdomains to root domain

RewriteCond %{HTTP_HOST} !^domain\.com$ [NC]
RewriteRule (.*) https://domain.com/$1 [L,R=302,QSA]

All tests results here :

http://123.45.678.901/ > now redirect to https://domain.com/  
https://123.45.678.901/ > now redirect to https://domain.com/  
http://123.45.678.901/any-page > 404 > https://domain.com/index.php?p=any-page  
https://123.45.678.901/any-page > 404 > https://domain.com/index.php?p=any-page

Thank you very much .htaccess worked for me, but the same thing could be achieved at the virtualhost level, according to the apache documentation the use of .htaccess should be avoided: 'You should avoid using .htaccess files entirely if you have access to the main httpd configuration file. Using .htaccess files slows down your Apache http server. Any directive you can include in an .htaccess file will be better configured inside a Directory section, it will have the same effect and better performance.' — bl3ssedc0de, Dec 05 '22 at 06:25

score 0 · Answer 2 · answered Aug 16 '16 at 19:01

What are you trying to accomplish by blocking the IP access to the website? It is really the same thing. We only use nice looking domain names or host names for the benefit of humans. Whether you type in the domain name or IP is the exact same thing as someone can simply ping your hostname and get the IP address anyway.

If you want to enforce SSL simply do it for the host so that all access attempts require SSL. You can use apache mod_rewrite to accomplish this: https://www.sslshopper.com/apache-redirect-http-to-https.html

What you're asking for may not be possible, unless I'm not understanding the problem correctly. It's like saying I want someone to be able to send mail to my house only using my address but not my postal code, when the postal code effectively gives you the address.

Anyway hope this helped.

I came here with the exact same question as migswd . For me, it is a question of security. Many do not realize that there IP could point to phpmyadmin or some other tool that they should not reveal to the world. My IP is currently pointing to a VPN admin tool. Yes, it will ask for credentials, but I don't even want to reveal the fact that I do have something there secured by login. To me it is common sense to make sure that browsing with the IP will do a rewrite to a public site or a general 'forbidden' message. — Jette, Oct 20 '20 at 08:16

score 0 · Answer 3 · answered Aug 16 '16 at 19:05

If you want to make it possible for users to access your site (server) through the domain name while accessing the corresponding IP address is disabled in order to disable the access to phpmyadmin through the IP address, it is impossible and not a good way to achieve what you want.

Roughly speaking, domain name is the human readable and memorable form of IP address, and when we type the domain name (e.g., http://google.com) on the browser, the domain name is converted to corresponding IP address by the DNS (domain name service) server, and the browser tries to connect to the IP address given by DNS. Eventually, trying to connect via domain name and IP address internally works the same way.

To remove the access of phpmyadmin from the other users and attackers, configuring the access control is right way. Try:

Use secure passwords for mysql users
Limit the permission of the mysql users according to the purpose of the mysql users. (Using the root user for all purpose and application is not a good way.)

If you correctly configure the above points, attackers can't access your database even if they know the URL of phpmyadmin.

score -1 · Answer 4 · answered Oct 23 '20 at 10:40

To make sure that a redirect takes place only when someone is browsing with the ip of the server, I did the following (Ubuntu 20.04 - commands and paths may differ, if you use another OS):

Create a noip.conf file in /etc/apache/conf-available/ folder with this content:

<If "%{HTTP_HOST} =~ /12\.34\.56\.78/">
  RewriteEngine on
  RewriteRule ^ http://my.domain.com [L,R=301]
</If>

Enable the configuration and restart apache:

a2enconf noip
apachectl restart

The above will not work if someone types in the ip using https. They will get a "Your connection is not private" message. Then if they click "Proceed to 12.34.56.78", they will get the first matching ssl enabled virtual host. Make sure that this host is the one you want it to be.

You should also check if other applications on the server are listening on alternative ports, since someone could type in 12.34.56.78:999.

Disable browser access to server IP address

4 Answers4