You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Block access to Default/ website when using IP

I'm using OS 10.12 w/Server.app to host several websites. Everything works well.

I found that if I try to access an enabled service via a web server

(i.e. mail.domain.com, cal.domain.com, etc) I get the default website which allows access to profile manager, wiki, Xcode, and user settings. You still need to log in, but it would be better if you weren't even given the chance.

I have set up a site to 'block' access and set up some redirects, and this is satisfactory. I can still access the services by adding /wiki, /profilemanager, etc to the URL.


HOWEVER, if you enter the external IP address in a web browser, you still get the 'Welcome to OS X Server'.

I still need access to default/wiki ,etc but not default/ (the welcome screen).

Does anyone know a way to prevent that screen from showing up?

Mac Pro, macOS Sierra (10.12.1)

Posted on Mar 22, 2018 7:37 AM

Reply
Question marked as Top-ranking reply

Posted on Mar 26, 2018 8:51 AM

You'll need to set up a default site in Server.app for the incoming connection. It seems that whatever the public DNS name of the path into your server, or the public IP address that you're using, doesn't have a web site, so it's getting the default site. If you've got that working locally but not externally, then there's a difference in the host name that the remote client is connecting to as compared with the host name that the local client is connecting to. It's this client-specified host name that's passed over the HTTP or HTTPS connection and it's this string passed from the client that's used to select the web site that Apache httpd server shows to the client.


Given that you're here specifying the public IP address of the server from within the remote client, make that a site or a synonym/alias of the site you want to show. Otherwise, you'll get the default site.


You'll also then decide whether you want to invest some time and effort in sculpting some added rewrite rules into the Apache httpd configuration to mask the specific URLs you don't want external folks to see.


This sort of "leakage" is one of the reasons why folks use an isolated "DMZ" network configuration and separate servers for internal usage and for externally-accessible activities. Also because various web servers have been breached using configuration errors or weak passwords or software vulnerabilities, and attackers have then sometimes gained further access into the underlying server and the rest of its data.


And more generally, the web server and other parts of macOS Server are being deprecated in an upcoming release, so you're also headed for a migration to a different web server on macOS, or to a different server platform.

1 reply
Question marked as Top-ranking reply

Mar 26, 2018 8:51 AM in response to david_p_p

You'll need to set up a default site in Server.app for the incoming connection. It seems that whatever the public DNS name of the path into your server, or the public IP address that you're using, doesn't have a web site, so it's getting the default site. If you've got that working locally but not externally, then there's a difference in the host name that the remote client is connecting to as compared with the host name that the local client is connecting to. It's this client-specified host name that's passed over the HTTP or HTTPS connection and it's this string passed from the client that's used to select the web site that Apache httpd server shows to the client.


Given that you're here specifying the public IP address of the server from within the remote client, make that a site or a synonym/alias of the site you want to show. Otherwise, you'll get the default site.


You'll also then decide whether you want to invest some time and effort in sculpting some added rewrite rules into the Apache httpd configuration to mask the specific URLs you don't want external folks to see.


This sort of "leakage" is one of the reasons why folks use an isolated "DMZ" network configuration and separate servers for internal usage and for externally-accessible activities. Also because various web servers have been breached using configuration errors or weak passwords or software vulnerabilities, and attackers have then sometimes gained further access into the underlying server and the rest of its data.


And more generally, the web server and other parts of macOS Server are being deprecated in an upcoming release, so you're also headed for a migration to a different web server on macOS, or to a different server platform.

Block access to Default/ website when using IP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.