Protect websites with the power of SSH

This only works on systems that you have control of. If you're on a shared hosting system this is not for you.

The basis of this trick is based on using PuTTY, an SSH connection, and a proxy application to tunnel your browsers internet connection through the web server.

Requirements

PuTTY Setup

  1. Connect to your web server via SSH using PuTTY
  2. Right click along the top title bar of the PuTTY window
  3. Select Change Settings
  4. Along the left sidebar of items go to Connection -> SSH -> Tunnels
  5. In Source port enter 8081 or any port number of your choosing. VLC, Skype, and other various applications commonly use 8080 and it may cause conflicts when trying to bind.
  6. Leave Destination blank
  7. Select the Dynamic radio selector
  8. Leave the next row of radio selectors on Auto
  9. Click Add

Browser Setup

Google Chrome

  1. Ensure the Proxy Switchysharp extension or equivilent is installed
  2. Within Google Chrome right click on the Proxy Switchysharp icon in the top right corner and select Options
  3. Make sure you are on the Proxy Profiles tab
  4. Select New Profile
    • Profile Name: 127.0.0.1:8081
    • Manual Configuration
      • SOCKS Host: 127.0.0.1 Port 8081
    • Save
    • Close

Back in Google Chrome, left click on the Proxy Switchysharp icon in the top right and select 127.0.0.1:8081.

Mozilla Firefox

  1. Ensure the Proxy Selector add-on or equivilent is installed
  2. Within Firefox click on the addon icon in the top right and select Manage Proxies
  3. Click Add
    • Proxy Label: 127.0.0.1:8081
    • Manual proxy configuration
      • SOCKS Host: 127.0.0.1 Port 8081
  4. Click OK

Back in Firefox, click on the Proxy addon icon and select 127.0.0.1:8081.

Confirming Browser Setup

Once you have done that head over to http://whatismyip.org/ and ensure that the IP address it returns is the same as your web servers IP address.

  • If the IP address is NOT the same as your web server, the proxy is not working.
  • If you get a message that you can no longer connect to the internet, go back into Proxy options and ensure you put in the correct port number that you use during the PuTTY setup phase.

If your IP address does match your web servers IP address, congratulations the proxy portion is complete.

Now What?

Well from here we need to edit your web server software to only allow connections from your web servers IP address. That way, the only way to access the portion of your website under the proxy protection is via connecting to your web server directly and accessing it through the proxy.

In the examples below I will go off the basis that 54.56.47.5 is my web servers IP address.

Apache

Apache is fairly straight forward, even a slight .htaccess modification would do.

    Order deny,allow
Deny from all
Allow from 54.56.47.5

You can also protect a subfolder within a public folder. For example i want to protect a folder named admin in the root of the main website

<Directory /var/www/public_html/admin/>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?administrator(.*)$
RewriteCond %{REMOTE_ADDR} !^54\.56\.47\.5$
RewriteCond %{HTTP:X-Forwarded-For} !^54\.56\.47\.5$
RewriteRule ^(.*)$ - [R=403,L]
</Directory>

Restart Apache and try to access the folder you have now protected. If you are still connected to the ssh server with proxy on you should have access. If you go to the proxy addon and go back to System Proxy (or Direct Connection) and attempt to view the same page, you should get a 403 denied error, or some type of error depending on server configuration. 

If you still have access to the page with the proxy turned off, something isn't right with your apache configuration. Have a look at the code above and look further into what changes you have made.

WordPress protection

This is the code required for Apache to protect a WordPress installation

RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$
RewriteCond %{REMOTE_ADDR} !^54\.56\.47\.5$
RewriteCond %{HTTP:X-Forwarded-For} !^54\.56\.47\.5$
RewriteRule ^(.*)$ - [R=403,L]

Print