How to prevent direct access to IP Express node.js

Question

I can't find a resource for this anywhere online, all I see is references for nginx.

I need help with this quickly as my server is live with users accessing it and somehow google indexed my ip address and users are accessing my site through my ip.

I plan to migrate servers tonight and am aware of why my ip was indexed, but in the meantime need a method to prevent direct access via my ip.

This obviously isn't working, and don't have much room to test, unless I stop the server and kick all of my users off for an extended period of time:

app.get('myiphere', function(req, res){
    res.redirect('domain.com');
});

What exactly are you concerned about. ALL connections to your server are via your IP address. TCP connections only work to IP addresses. If one has only a domain, then you use DNS to get an IP address that corresponds to that domain and then you make a connection to the IP address. That's how TCP works (which is the transport for HTTP). — jfriend00, Jun 13 '21 at 20:05
@jfriend00 I understand how IP's work in relation to DNS and the internet. But it's my understanding that it's not good to have your IP exposed to the internet? Does this not make you susceptible to certain types of attacks? If someone has access to my servers IP they can just bypass cloudflare ddos protection and DDoS my server directly can they not? — user2079164, Jun 13 '21 at 21:09
The IP address that you have in DNS should already go through all the cloudfare protection and infrastructure. Everyone HAS to access your server via that IP address. If people are directly accessing your server via some other IP address that isn't the one in DNS (some IP that isn't supposed to be publicly accessible), then you need to fix that with appropriate firewall rules or whatever. — jfriend00, Jun 13 '21 at 23:53
FYI, a typical hosting infrastructure will have your server's actual IP address NOT accessible to the internet. Instead, your DNS entry for your hostname will have an IP address that points at some sort of proxy in the hosting infrastructure which will implement various security features and then route the request to your server's actual private IP address on their network. If you're using anything other than a dedicated server that has no other tenants on it, then there will probably be custom ports allocated for you to use too so the server's private IP address can be shared. — jfriend00, Jun 13 '21 at 23:57
In this type of hosting infrastructure, it is not possible to directly access your server from the internet and your server has a private IP address. The only way to reach your server from the internet is via some other server (often a proxy) in the hosting providers infrastructure and it is that server that has a public IP address. — jfriend00, Jun 13 '21 at 23:59
It is still not clear exactly what you are observing that you think is a problem and exactly what you are concerned about. — jfriend00, Jun 13 '21 at 23:59

score 1 · Answer 1 · answered Dec 15 '21 at 07:05

You can implement an application-level middleware which checks that a request host-name isn't anything else but your domain. That way an access to your with an IP address wouldn't cause a processing (on application level).

const SITE_ADDRESS = 'yourwebsite.com';
app.use((req,res,next) => {
  if (req.hostname.includes(SITE_ADDRESS)) 
    next();
  else
    res.status(403).end(`Access with ${req.hostname} is restricted. Use ${SITE_ADDRESS} instead.`);
});

score 1 · Answer 2 · answered Mar 11 '22 at 04:27

1

To prevent direct access to your site from IP you can set the loopback IP this way:

app.listen(3000, '127.0.0.1', () => console.log('Server running on port 3000'))

answered Mar 11 '22 at 04:27

sonEtLumiere

4,461
3
8
35

score 0 · Answer 3 · answered Jun 13 '21 at 21:13

0

Prevent indexing by creating a robots.txt at your server root directory. See https://stackoverflow.com/a/390379/11191351

answered Jun 13 '21 at 21:13

joernneumeyer

46
1
6

Thanks for this, also useful, but my question was moreso how to prevent direct access to my IP with Express – user2079164 Jun 13 '21 at 21:56
1

If you are using another webserver in front of node.js (like apache or nginx), then bind the server to `127.0.0.1` or `::1` and configure a request forwarding to node.js. If you are just using node.js, it should work, if you bind to the hostname of your app, aka the comain of your server. This would require an entry in you `/etc/hosts` with the hostname in it (I think). – joernneumeyer Jun 13 '21 at 22:37

How to prevent direct access to IP Express node.js

3 Answers3