How to config my Heroku app to restrict the access to it's herokuapp.com domain a specific server?

Question

I have 2 heroku apps, one for API server and one for Node.js server. I would like to allow the Node.js server to access api-server.herokuapp.com when doing server-side rendering (since it's faster to access the api server via internal router rather than access it via a custom domain, which needs to pass requests through external DNS).
However, I would also want to restrict the access to api-server.herokuapp.com to the Node.js server. That is, browsers can not access api-server.herokuapp.com. Browsers can only access the api server via the custom api domain. If someone try to access api-server.herokuapp.com directly, the request will be redirect to the custom api domain.
My question is - How can I tell if the request come from my Node.js heroku server but not other agents? Thanks!

Do you have an Nginx outside Heroku or are you using the default heroku load balancer? — JRichardsz, Jan 14 '19 at 15:34
@JRichardsz I use Nginx inside my Heroku app (it's a buildpack). — Trantor Liu, Jan 15 '19 at 01:24

JRichardsz · Answer 1 · 2019-04-19T13:00:25.607

You could try these approaches:

At Linux level

iptables -A block_outgoing -j DROP -d blah.com
iptables -A block_outgoing -j DROP -d ww1.blah.com
iptables -A block_outgoing -j DROP -d ww2.blah.com
iptables -A block_outgoing -j DROP -d ww3.blah.com

Reference : https://www.cyberciti.biz/tips/linux-iptables-6-how-to-block-outgoing-access-to-selectedspecific-ip-address.html

At load balancer level (Linux with full control)

If you have a nginx with full control in front of your internal apps:

basic nginx diagram

Disable api.domain.com public access.

There is no need to restrict the access to api.domain.com because they are internal without public ip. This internal apps can only be consumed from within your LAN network.

Only specific app is allowed consume another app

You could use nginx Block And Deny IP Address

  allow 10.10.100.20; # Allow a single remote host
  deny all; # Deny everyone else

Reference: https://support.hypernode.com/knowledgebase/blocking-allowing-ip-addresses-in-nginx/

CORS

Also you can use Access-Control-Allow-Origin

Reference :

At load balancer level (nginx on heroku)

If you are using nginx as a heroku app and/or you have full control, you could replicate the previous configuration

Note: As far as i know :

Heroku does not give you an internal ip, only the public domain : *.herokuapp.com
You don't have a full linux control in Heroku

At node.js source code

At this level, you could use:

CORS

app.all('/*', function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "http://domain1.com,http://domain2.com");
  res.header("Access-Control-Allow-Headers", "X-Requested-With");
  next();
});

Reference: - https://stackoverflow.com/a/9429405/3957754

Host Header

This header value is the host from which the request was made:

var host = req.headers['host'];

So, you just need to implement a custom logic to show an error or redirect for specific hosts.

How to config my Heroku app to restrict the access to it's herokuapp.com domain a specific server?

1 Answers1

At Linux level

At load balancer level (Linux with full control)

- https://qa.lsproc.com/post/access-control-allow-origin-multiple-origin-domains

At load balancer level (nginx on heroku)

At node.js source code