Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 9277 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block HTTPS traffic to external without host header

SolaceAuto

Is it possible to prevent someone from going to our external address directly?

Right now our external IP xx.xx.xx.xx will attempt to take you to our virtual https server causing an SSL error because no host header is passed. 



This thread was automatically locked due to age.
Parents
  • 0
    9.3X added access control to Site Path Routing:

    Access control: If selected, you can allow or block specific client networks for the Virtual
    Webserver. Clients only get access when their IPs are listed in the Allowed networks list.
    IPs in the Denied networks list will be blocked. If both lists are empty no one will be able to
    connect to the Virtual Webserver. If you want to block only specific networks, allow Any
    and select or add Denied networks. If you want to allow specific networks only, you need
    to select or add Allowed networks and leave Denied networks empty.

    The other method would be a blackhole DNAT. It's exactly the same as a regular DNAT, with two differences. "For traffic from", place a host definition for a single IP to be blocked or a network definition for a netblock. "Change the destination to", put a host definition for an address that does NOT exist on your network. If your network is 192.168.2.0/24, use 192.168.3.1, as an example. As the host doesn't exist, the traffic will go down a "blackhole". :)
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Reply
  • 0
    9.3X added access control to Site Path Routing:

    Access control: If selected, you can allow or block specific client networks for the Virtual
    Webserver. Clients only get access when their IPs are listed in the Allowed networks list.
    IPs in the Denied networks list will be blocked. If both lists are empty no one will be able to
    connect to the Virtual Webserver. If you want to block only specific networks, allow Any
    and select or add Denied networks. If you want to allow specific networks only, you need
    to select or add Allowed networks and leave Denied networks empty.

    The other method would be a blackhole DNAT. It's exactly the same as a regular DNAT, with two differences. "For traffic from", place a host definition for a single IP to be blocked or a network definition for a netblock. "Change the destination to", put a host definition for an address that does NOT exist on your network. If your network is 192.168.2.0/24, use 192.168.3.1, as an example. As the host doesn't exist, the traffic will go down a "blackhole". :)
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Children
No Data
Unfiltered HTML