[Solved] Regarding internal port number being exposed on scan
This query is related to lighttpd.conf (for 1.4.48 version).
Lighttpd.conf has following server configuration :
proxy.server = (
"/app-ui" => (
"node" => (
"host" => "127.0.0.1",
"port" => 8668
Here 8668 is the port number which is internal to application server, but on scanning for open ports, 8668 got exposed to customer and it allows login with url: https://server-ip:8668 instead of actual url: https://server-ip/app-ui/.
Is there a lighttpd configuration setting to not expose internal ports to external world ? (like port scanners ?).
According to the config you have shared, lighttpd is configured to proxy back to 127.0.0.1 port 8668, but lighttpd is not configured to start whatever backend is listening on that IP and port.
Therefore, this is not due to lighttpd in any way.
Instead, it sounds like you have misconfigured the backend daemon to listen on * instead of listening only on 127.0.0.1.
Thank you Gstrauss.