You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Brad Harris <Br...@MascoCabinetry.com> on 2014/06/03 21:05:30 UTC

[users] Only allow access from specific domains?

I've been trying to configure a website to send a 403 forbidden error unless the user comes from a specific website/domain, which is a logon page hosted on another server. Once the user logs on to that page it redirects them to a WordPress site. The server running WordPress is currently running about 7 websites, utilizing the VirtualHost directive. I've tried to make this work using Rewrite Conditions/Rules but it's not 100% working. The problem(s) I'm seeing is that the "ErrorDocument 403 ..." directive is not redirecting the user to the logon page but it's redirecting to the default Apache test page. If I start out on the logon page it works fine...I login, it redirects me to the WordPress site. The next problem I see is that using these Rewrite rules slows the server down considerably because it's evaluating every single file that the browser accesses. So my question is, what's the best way to keep users from accessing the WordPress site if they don't originate from the logon page? I would much rather accomplish this with Apache than WordPress. Below are my Rewrite rules:

RewriteEngine On
# this is the domain hosting the login page
RewriteCond %{HTTP_REFERER} !logon_domain.com [NC]
# this is the domain hosting the WordPress site
RewriteCond %{HTTP_REFERER} !wordpress_site.com [NC]
RewriteRule .* - [F]
ErrorDocument 403 http://logon_domain.com/Login.aspx

The last line of my rewrite error log:
forcing responsecode 403 for /var/www/html/...

So based on that line in the error log I would assume it's working....it just isn't redirecting, and it's slowing the site down.

Any help would be greatly appreciated!

Thanks,
Brad

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users] Only allow access from specific domains?

Posted by "Walter H." <Wa...@mathemainzel.info>.

On 04.06.2014 14:33, Brad Harris wrote:
>> the match strings are wrong, should be    !^http://....$
> Thanks Walter, I tried your suggestion but get the same result. I inherited this site from another company and I've already let my users know that it's an insecure way of doing it and demonstrated with a  simple Chrome extension how easy it is to bypass. Is there another way to do this?
>
yes, session cookies;

Walter

RE: [users] Only allow access from specific domains?

Posted by Brad Harris <Br...@MascoCabinetry.com>.

> the match strings are wrong, should be    !^http://....$

Thanks Walter, I tried your suggestion but get the same result. I inherited this site from another company and I've already let my users know that it's an insecure way of doing it and demonstrated with a  simple Chrome extension how easy it is to bypass. Is there another way to do this?

Brad

-----Original Message-----
From: Walter H. [mailto:Walter.H@mathemainzel.info] 
Sent: Wednesday, June 04, 2014 7:12 AM
To: users@httpd.apache.org
Subject: Re: [users] Only allow access from specific domains?

On 03.06.2014 21:05, Brad Harris wrote:
> I've been trying to configure a website to send a 403 forbidden error unless the user comes from a specific website/domain, which is a logon page hosted on another server.
Design error, because, the Referer is fakeable and makes the logon page 
not neccessary ...


> RewriteEngine On
> # this is the domain hosting the login page
> RewriteCond %{HTTP_REFERER} !logon_domain.com [NC]
> # this is the domain hosting the WordPress site
> RewriteCond %{HTTP_REFERER} !wordpress_site.com [NC]
> RewriteRule .* - [F]
> ErrorDocument 403 http://logon_domain.com/Login.aspx
>
> The last line of my rewrite error log:
> forcing responsecode 403 for /var/www/html/...
>
the match strings are wrong, should be    !^http://....$

Walter



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users] Only allow access from specific domains?

Posted by "Walter H." <Wa...@mathemainzel.info>.

On 03.06.2014 21:05, Brad Harris wrote:
> I've been trying to configure a website to send a 403 forbidden error unless the user comes from a specific website/domain, which is a logon page hosted on another server.
Design error, because, the Referer is fakeable and makes the logon page 
not neccessary ...


> RewriteEngine On
> # this is the domain hosting the login page
> RewriteCond %{HTTP_REFERER} !logon_domain.com [NC]
> # this is the domain hosting the WordPress site
> RewriteCond %{HTTP_REFERER} !wordpress_site.com [NC]
> RewriteRule .* - [F]
> ErrorDocument 403 http://logon_domain.com/Login.aspx
>
> The last line of my rewrite error log:
> forcing responsecode 403 for /var/www/html/...
>
the match strings are wrong, should be    !^http://....$

Walter