Network security & redirect settings
The Network Settings page contains all things network-related, in four tabs:
- ActiveProtect™: Protects against denial of service and brute-force attacks
- Firewall: Restricts access to your servers
- Traffic: Allows or denies access from different source IP addresses
- Redirects: Sets server-level redirects for web traffic
What is ActiveProtect™?
All stacks deployed with Cloud 66 are automatically protected against denial of service and brute-force attacks. The ActiveProtect page shows a list of current and past attacks (in the last 24 hours) with information about the source and destination.
Servers deployed with Cloud 66 only allow incoming SSH traffic from known IP addresses. To protect against brute-force SSH attacks, the servers are also configured to only accept SSH keys and not passwords. However, it is possible that user configurations result in vulnerabilities, and for such cases, repeated SSH login attempts are detected and blocked for at least 10 minutes.
Firewall
The Firewall tab allows you to configure and apply firewall rules per server for your application. You can open your firewall temporarily in cases when you need temporary access to your servers by clicking the icon at the top right of the page. This will automatically fill with your current IP address, and allow you to choose the duration of the opening and the server port you wish to access. Doing this avoids the dangers of leaving firewall ports open permanently unnecessarily.
By default, Cloud 66 gateway servers (e.g. 54.84.166.97) are the only servers allowed SSH (port 22) access to application servers. The default firewall rules include database and web ports appropriate for the application deployed but also includes ports 8080 and 8443 as alternative HTTP ports for WebSocket-based applications like Faye. Editing and removing the default firewall rules is disabled to secure accessibility to the servers at all times.
Add a firewall rule
To add your own rules, click Add a new firewall rule. You can input single IP addresses or ranges, and the drop-down allows you to choose servers by name (e.g. Rails servers).
Microsoft Azure notice
If you want to open a custom port to you server in Microsoft Azure, you must add an endpoint for that VM in your Azure management portal after adding the rule in your Cloud 66 dashboard.
Configuring traffic rules
By default, all traffic is allowed to visit your web servers on ports 80, 443, 8080 and 8443. The Traffic tab allows you to set rules for this access. Cloud 66 supports 3 kinds of traffic rules:
- “Don’t block” rules prevent trusted IPs from being rate limited
- “Allow access” rules whitelist access from specific IPs (or ranges)
- “Deny access” rules blacklist access from specific IPs (or ranges)
For each of these fields, you can enter a single IP address, a comma-separated list, or range. For example:
23.213.76.19
23.213.76.1/16
23.213.76.19,31.152.18.22,197.222.132.0/24
“Don’t block access from” rules
To help prevent denial of service (DOS) attack, ActiveProtect automatically blocks any IP address that makes more than 1,500 requests per minute to your server(s).
You can use this field to define IP addresses and ranges for which this limit will be ignored. You can also choose not to block any traffic coming from Cloudflare’s edge servers.
Allowed web sources
You can alow (“white list”) specific IP addresses and ranges to access your application. All other IP addresses will be blocked.
“Deny access from” rules
You can block (“black list”) specific IP addresses and/or ranges from visiting the ports mentioned above.
Using network redirects
The Redirects tab helps you perform simple but frequently used network redirects. These include redirecting traffic from HTTP to HTTPS or adding or removing the www prefix from your domain name.
Redirect HTTP to HTTPS
You can easily add your SSL certificates to your stacks and serve your traffic securely with HTTPS. To ensure that all your visitors use HTTPS instead of HTTP, you need to redirect anyone using HTTP to HTTPS.
This works by reconfiguring your Nginx configuration, so any visitor that arrives at port 80 and HTTP will receive a permanent HTTP redirect (301) to the same address on HTTPS.
You can find it in Application Overview → Network settings → Redirects tab
WWW or non-WWW in your URL
Some sites serve traffic on www.domain.com, while others use the bare domain.com. By default, your servers will serve traffic for any DNS record pointing to their address. This setting allows your to redirect visits to www.domain.com to domain.com, and vice-versa. This works by changing your Nginx configuration to permanently redirect (HTTP 301) visitors to the desired address.
You can find it in Application Overview → Network settings → Redirects tab
