Home / server / Questions / 484607
Accepted
Iraklis
Asked: 2013-03-05 13:34:42 +0800 CST

What's the most effective way to block incoming HTTP/HTTPS requests from an old domain name?

  • 772

A own a dedicated CentOS box that uses lighttpd to serve www.newdomain.com. However, the same IP used to host an old domain www.olddomain.com.

The box still gets requests for www.olddomain.com.

What's the most effective way to block those requests?

  • Through an iptables rule
  • By a rule in lighttpd
  • Adding a hosts.deny
  • Another option that haven't thought of

Note: I do not have access to the name servers or the domain records of www.olddomain.com

iptables

5 Answers

  1. Best Answer

    Create a virtual host for the old domain with an empty directory as the root (which will just serve 404s).

    • 5

  2. Use iptables string module. Although this is not the most recommended way of doing it, you might need to consider it as you seem interested in blocking it completely. The string module requires a linux kernel >= 2.6.14

    The rule would be like this -

    /sbin/iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "www.olddomain.com" -j DROP

    But remember, this might end up blocking legitimate traffic. You have to confirm that your old domain does not appear in any of the url request for all the sites in your domain.

    • 3

  3. Based on your response to my comment, I would use iptables or a hardware device to drop the packets. Using iptables will save your web service from having to process the request. Using a different hardware device such as firewall would be a better option since they are much faster at this and then it never hits your server.

    • 1

  4. The best way would be to do it at the firewall level (such as iptables, with string modules) because you consume less ressources than doing it on a 'web server' service such as lighttpd, nginx, etc

    However, your original request mentioned HTTPS. This is a bit more tricky because you are using the same IPs and you can only decrypt the https header ONCE you give it your side of the certificate (ie: you won't know for which domain it is for, before you pass it to a load balancer or a web server [1]).

    So I would suggest you simply catch them at the webserver level. You could also craft a basic 301 (permanently moved) reply and redirect them toward somewhere else. In time, the search engine won't send you traffic anymore.

    [1]. Note, there's a way, through the SNI (server name identification) SSL extension, but this is getting a bit more tricky.

    • 1

  5. If www.newdomain.com is the default, chances are the web server will use it to answer requests for any domain.

    Configure your web server to only respond to www.newdomain.com and ignore everything else.

    (I haven't used lighttpd in a while, you'll need to look up the syntax.)

    • 0