Whitelist subdomain (*.example.com) from Linux server

Question

I need to do some file migration to Google Drive and our problem is that during this process Drive need to contact our images server. We have this images in a regular Apache server listening on port 80.

I tried with some fqdn in Iptables but whilst it works for the domain, Google reachs us though different proxies every time, making it impossible to whitelist due to the way iptables work. google proxies syntax: google-proxy-xx-xx.google.com

Is there any way to allow only these subdomains to access our server? thank you!

Answer 1

We made it using Squid3 and a port redirection from port 80 to 3128 (default Squid port) in IPtables.

Then we configured the wildcard in Squid config file following this article: https://kudithipudi.org/2015/12/15/how-to-enable-wildcard-domains-in-squid/

This is the most relevant part from the squid doc:

http_port 3128 accel defaultsite=<your server name> vhost
# And the IP Address for it - adjust the IP and port if necessary
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=hp
acl <acl-name> srcdomain .google.com
http_access allow <acl-name>

where it says change it by your dns name, if you don't have any just modify your /etc/hosts file to point to 127.0.0.1

Keep in mind that this solution is for apache servers running in the same machine.

Answer 2

iptables can filter traffic based on static information, so it wont fit you needs.

What you can do is to protect you images folder in Apache with and IF statement like <If "req('Host')..."> More about this directive here

Still it is possible (at least in theory ) for an attacker to craft an HTTP request with a header matching exactly you security settings