Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to hide Webserver IP?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to hide Webserver IP?

sonicsonic Veteran

I'm running Wordpress blog, I want to hide webserver IP, here they way i do:

Visitor --> Cloudflare --> Nginx reverse proxy --> Webserver
Mail is disabled, use external SMTP

It looks nice, but i have a question: Can someone leak real IP when I allow them upload media in Wordpress?

Comments

  • sonicsonic Veteran

    One more question, is it posible to build wordpress blog with external editor panel (wp-admin) ?

    I know one wordpress which has external wp-admin , ex:

    Main site: domain.com/wp-admin
    Editor site: editor.domain.com/wp-admin

    Contributor can post, edit from editor site and post will appear in main site

    P/S: sorry for my bad English

  • rokokrokok Member

    sonic said: Can someone leak real IP when I allow them upload media in Wordpress?

    The NSA knows everything

    Thanked by 3Rapta kkrajk namhuy
  • BochiBochi Member

    @sonic said:
    One more question, is it posible to build wordpress blog with external editor panel (wp-admin) ?

    I know one wordpress which has external wp-admin , ex:

    Main site: domain.com/wp-admin
    Editor site: editor.domain.com/wp-admin

    Contributor can post, edit from editor site and post will appear in main site

    Might as well be just a simple vHost setup (http://stackoverflow.com/questions/3367581/how-to-run-wordpress-admin-on-a-different-subdomain), but otherwise I think this could be achieved with some tinkering and an common/external database.

    Additional ressources might be:

    Thanked by 1sonic
  • bigfbigf Member
    edited March 2015

    @rokok said:
    The NSA knows everything

    well done

  • sonicsonic Veteran

    @bigf said:

    My site is small news site and i'm happy if NSA want to see my data :))
    I just want to hide my IP from hackers :D

  • sonicsonic Veteran

    Plugin in this link isnt updated 2 years and not work with new WP version :D

  • I believe just cloudflare will be sufficient if done right , about uploading , cloudflare allows you to upload files of upto 10MB or something around that size via their network .

    Also , for mail you could use mandrill (free 12k emails per month) instead of using SMTP ,it will also lower the chances of emails from your server to be flagged as spam.

    You could also give Hide my wp a shot as well.

    Thanked by 1sonic
  • sonicsonic Veteran

    @Rolter said:
    I believe just cloudflare will be sufficient if done right , about uploading , cloudflare allows you to upload files of upto 10MB or something around that size via their network .

    Also , for mail you could use mandrill (free 12k emails per month) instead of using SMTP ,it will also lower the chances of emails from your server to be flagged as spam.

    You could also give Hide my wp a shot as well.

    Can contributor know real IP if i allow them upload image to WP gallery?

  • @sonic said:
    Can contributor know real IP if i allow them upload image to WP gallery?

    Your setup is sufficient - they won't know the server's IP.

    Cloudflare on the other hand can and will forward abuse emails to your host, and any other government services can request the server's IP from CloudFlare. You are only hidden from your visitors and/or website contributors.

    Thanked by 1sonic
  • @sonic said:
    Can someone leak real IP when I allow them upload media in Wordpress?

    No.

    Thanked by 1sonic
  • sonicsonic Veteran
    edited March 2015

    @ManofServer said:
    Cloudflare on the other hand can and will forward abuse emails to your host, and any other government services can request the server's IP from CloudFlare. You are only hidden from your visitors and/or website contributors.

    Just want to hide from hackers

  • NomadNomad Member

    Just be sure that any wildcard subdomains or any other subdomains such as ftp, mail etc. doesn't show the real ip. Or your own name servers.

    Thanked by 1sonic
  • @deadbeef said:

    I'm going to disagree with you, it can leak IF you allow wordpress to fetch from remote locations, you can end up leaking it.
    However, if it's wordpress, unless you're hosting something incredibly illegal, then why try to hide?

    Thanked by 2deadbeef sonic
  • KwiceroLTD said: However, if it's wordpress, unless you're hosting something incredibly illegal, then why try to hide?

    He just wants to hide from hackers as mentioned above.

    Thanked by 1sonic
  • sonicsonic Veteran

    I want to hide real IP from hackers, they may ddos real IP if they know. I have filtered IP act as nginx proxy at front end.

  • sonicsonic Veteran

    @KwiceroLTD said:
    However, if it's wordpress, unless you're hosting something incredibly illegal, then why try to hide?

    When contributor post a post with image hosted on their own site, is my IP leaked

  • Once the ip is seen by robots you cant hide it.

    Thanked by 1sonic
  • deadbeefdeadbeef Member
    edited March 2015

    @KwiceroLTD said:
    I'm going to disagree with you, it can leak IF you allow wordpress to fetch from remote locations, you can end up leaking it.

    I stand corrected. I was thinking of the "media" section where you can only upload, but you are right - adding media from inside a post has an "insert from url" feature. Thank you for pointing this and my apologies to the OP for misleading him.

    Thanked by 3sonic KwiceroLTD netomx
  • sonicsonic Veteran

    Then how to disable remote function in WP

  • sonic said: Then how to disable remote function in WP

    rm -rf /directory/to/Wordpress

    Or

    Disable updates and Disable XML-RPC API.

    ^ There may be more to disable, but I haven't used WP in a long time.

    Thanked by 1KwiceroLTD
  • A smtp server usually leaks the backend IP aswell.
    Use a provider that hides the backend IP.

  • To deal with outgoing ip , you could either force your editor(s) to download the image on their device first and then upload it your server or hook a proxy function when fetching any external resource(s) (get a few dirt cheap proxies for a few bucks per month and use them)

    Also i should point that if your server was without cloudflare for a while and you have not changed your servers ip address then your servers reall ip address is probably logged in many whois web directories, if that is the case , you should change your servers ip address.

  • sonicsonic Veteran

    @Rolter said:
    To deal with outgoing ip , you could either force your editor(s) to download the image on their device first and then upload it your server or hook a proxy function when fetching any external resource(s) (get a few dirt cheap proxies for a few bucks per month and use them)

    Also i should point that if your server was without cloudflare for a while and you have not changed your servers ip address then your servers reall ip address is probably logged in many whois web directories, if that is the case , you should change your servers ip address.

    "hook a proxy function when fetching any external resource(s)" < ___ how to do?

    I have nginx reverse proxy front of my webserver, and CF front of nginx proxy, is it OK?

  • RolterRolter Member
    edited March 2015

    About adding a proxy function to wp_remote_get , you will have to look that up , i have never really done it , but i am pretty sure you can hook a proxy function to wp_remote_get.

    You can read more about it here -- https://codex.wordpress.org/Function_Reference/wp_remote_get

    You will be fine , don't overthink ...

  • @Rolter said:
    Haha , forgot about that , you will be fine , even if your ip does get leaked it will be the ip of your nginx reverse proxy , not your main ip.

    Requests initiating from the server won't pass through the reverse proxy ....

    Thanked by 1Rolter
  • tr1cky said: A smtp server usually leaks the backend IP aswell

    i can confirm this, they usually forward your real server ip in the header

  • MrXMrX Member

    Rolter said: Also , for mail you could use mandrill

    Mandrill leaks server IP. There some that don't, such as Mailjet.

    Thanked by 3deadbeef rokok Rolter
  • Use Amazon SES as SMTP

  • Ensure Cloudflare is enabled (check the cloud colors).


    You should be fine

  • @MrX said:
    Mandrill leaks server IP. There some that don't, such as Mailjet.

    Thanks for the heads up, i was thinking of using mandrill ..Looking into mailjet

Sign In or Register to comment.