Limit IP aaPanel with Dynamic DNS

I. General introduction to Dynamic DNS

Dynamic DNS or DDNS stands for Dynamic Domain Name System. DDNS replaces static IP, allowing users who do not need ISP to provide static IPs can still access their system remotely.
Dynamic DNS puts on the Internet services such as Web Server, Mail Server, access to internal systems, surveillance cameras at their premises via internet connection. Dynamic DNS maps domain names to IP addresses with variable frequency (IP WAN).
Since not all computers use static IP addresses, how does Dynamic DNS work?
Each domain name must be pointed to a static IP address in the DNS server system. However, currently, carriers often provide dynamic IP addresses that change at certain cycles, when the IP address changes, affecting configurations such as the webserver, services have been set to a fixed IP.

To overcome this dynamic IP situation, DDNS was born. DDNS provides data related to the connection between IP and domain name.
In addition, DDNS also provides flexible database updates to users’ real requirements. Dynamic DNS works by creating a program called Dynamic DNS Client that is run on the user’s computer.
Dynamic DNS Client keeps track of and controls any changes from the server IP.
The client then broadcasts the changes to the DNS server system. At the same time, also update the changed information in the database. Therefore, even with frequent IP address changes from the server side, DNS still correctly points to the correct domain name address with the new IP.

Currently, there are some free DDNS providers, such as

No-IP, Duck DNS.., or you can use paid DDNS.

II. Advantages and Disadvantages of Limit IP with Dynamic DNS

Advantages

However, applying Limit IP aaPanel along with Dynamic DNS for small and medium businesses to optimize the cost of renting static IP, for the best security, only applies to the internal network, not mobile devices like phones, laptops,…
In addition, the internal network applies a MAC filter, so it will ensure the system’s safety.

Dynamic DNS can be applied to clients or departments to enhance the security of internal connections so that it can be a temporary replacement for the VPN system.

Disadvantages

Not flexibly applied to devices outside the internal network, such as phones, laptops moving to use other networks, when Dynamic DNS is enabled, that network’s WAN IP will automatically be included in the whitelist.txt list.
Regarding security, using a VPN is optimal over Dynamic DNS because any IP Wan whitelist is at ISP.

III. Implementation Guide

Step 1: Register for an intermediate DNS

In this guide, I register Duck DNS to use.

You access the Duck DNS homepage to create a subdomain. In the tutorial, I created sub kythuat and ketoan for the demo

1. Set Up Connection at Client

Go to the install section on the Duck DNS page, I choose the corresponding OS platform to install; In this tutorial, I use windows.

Access to etx.ca to install the connection at the client, but the server does not have java, so we must install it to use.

After selecting the sub kythuat.duckdns.org, there will be information, including domain and token.

Connecting from the client to duckdns server with kythuat.duckdns.org was successful.

Sub ketoan.duckdns.org still makes the same connection as kythuat.duckdns.org.

2. Implement IP limit in webserver and allow IP in whitelist.txt file list

To enhance internal information security, system administrators only allow fixed IPs such as static IP or VPN IP.

However, the ISP’s IP Wan will have difficulty accessing the system for employees. For IP Wan IP to update to the whitelist.txt list, you need to add a bash shell script:

To execute the dig command, you need to install bind-utils:

	
 Cài đặt trên centos
	yum install bind-utils -y
 Cài đặt trên ubuntu
        apt update
	apt install dnsutils

    

To make the list of departments operate separately from other WAN IPs, I configure the corresponding script with kythuat.duckdns.org and ketoan.duckdns.org.

Create bash shell script to update IP kythuat

mkdir -p /www/dddns/kythuat

vi /www/dddns/kythuat/kythuat.ip

#!/bin/sh
# nginx auto whitelist Dynamic DNS script
AZZ=allow
DDNS="kyhuat.duckdns.org"

# Populate dynamic IP if file doesn't exist
if [ ! -f /www/dddns/whitelist-ip/kythuat-ip ]; then
    echo "$AZZ $(dig x +short $DDNS);" > /www/dddns/whitelist-ip/kythuat-ip
fi

CURRENT=$(cat /www/dddns/whitelist-ip/kythuat-ip)
FRESH="$AZZ $(dig x +short $DDNS);"

#Test if current IP is same as fresh and reload nginx if not
if [ "$CURRENT" != "$FRESH" ]; then
    echo "$AZZ $(dig x +short $DDNS);" > /www/dddns/whitelist-ip/kythuat-ip
fi

chmod +x /www/dddns/kythuat/kythuat.ip
    

Create bash shell script to update IP ketoan

mkdir -p /www/dddns/ketoan

vi /www/dddns/ketoan/ketoan.ip

#!/bin/sh
# nginx auto whitelist Dynamic DNS script
AZZ=allow
DDNS="ketoan.duckdns.org"

# Populate dynamic IP if file doesn't exist
if [ ! -f /www/dddns/whitelist-ip/ketoan-ip ]; then
    echo "$AZZ $(dig x +short $DDNS);" > /www/dddns/whitelist-ip/ketoan-ip
fi

CURRENT=$(cat /www/dddns/whitelist-ip/ketoan-ip)
FRESH="$AZZ $(dig x +short $DDNS);"

#Test if current IP is same as fresh and reload nginx if not
if [ "$CURRENT" != "$FRESH" ]; then
    echo "$AZZ $(dig x +short $DDNS);" > /www/dddns/whitelist-ip/ketoan-ip
fi

chmod +x /www/dddns/whitelist-ip/ketoan-ip
    

2.1 Transfer IP updates from dnsdynamic to the whitelist-ip.txt file into php-fpm corresponding php

mkdir -p /www/dddns/conf

cat > "/www/dddns/conf/whitelist-ip.txt" << END
include /www/dddns/whitelist-ip/ketoan-ip;
include /www/dddns/whitelist-ip/kythuat-ip;
END

In aaPanel using php 7.4, you open the file /www/server/nginx/conf/enable-php-74.conf
and backup the file before manipulation:

cp  /www/server/nginx/conf/enable-php-74.conf  /www/server/nginx/conf/enable-php-74.conf.bak

vi /www/server/nginx/conf/enable-php-74.conf
        location ~ [^/]\.php(/|$)
        {
                include /www/dddns/conf/whitelist-ip.txt;
                deny all;
                try_files $uri =404;
                fastcgi_pass  unix:/tmp/php-cgi-74.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
                include pathinfo.conf;
                #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                #fastcgi_split_path_info ^(.+\.php)(.*)$;
        }

    

To update the IP Wan or access the VPN that has changed the new IP, do the update as shown below or wait 5 minutes for it to update automatically:

2.2 Setup Cron to update new IP on Service update to whitelist-ip.txt

cat > "/www/cron-update-whitelist-ip.sh" << END
#!/bin/sh
sh /www/dddns/ketoan/ketoan.ip
sh /www/dddns/kythuat/kythuat.ip
END
chmod +x /www/cron-update-whitelist-ip.sh

You can set up cron already supported on aaPanel:

If you fail to access the website, you will receive a 403 error as shown below. Please wait 1 minute for cron to update IP, then you can access normally.

If you need assistance, you can contact support in the ways below:

• Hotline 247: 028 888 24768 (Ext 0)
• Ticket/Email: You use the email to register for the service and send it directly to: support@azdigi.com .