You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Philippe Marcoussis <ph...@gmail.com> on 2013/10/11 16:58:42 UTC

[users@httpd] HTTP_REFERER and Access Control

Hello,

I am facing a problem, and i don't known how to solve it.

I have two web sites working and available on the internet :
- applications.example.com
- secure.example.com

I would like :
1) to allow FULL access FROM applications.example.com TO
secure.example.com ( without any authentication)

AND

2)  to allow access FROM Internet TO secure.example.com only with LDAP
Authentification.
PS: I know how to configure ldap authentication, that is not the matter

What apache directive should I use ? mod_rewrite ? http_referer ?

Thanks,

Re: [users@httpd] HTTP_REFERER and Access Control

Posted by David Ecker <da...@ecker-software.de>.

Hi,

you could use host based access control giving full access to the server 
applications.examle.com:

http://httpd.apache.org/docs/2.2/howto/access.html

The problem is that the request to secure.example.com has to come from 
applications.example.com and not from the client browser. You could use 
mod_proxy directives for that.

For example on the application webserver:
ProxyPass /secure http://secure.example.com/
ReverseProxyPass /secure http://secure.example.com/

With that every browser accessing http://application.example.com/secure 
will actually get the content of http://secure.example.com.

But that only works if you did set host based access rules as in the 
above link.

bye
David

Am 11.10.2013 16:58, schrieb Philippe Marcoussis:
> Hello,
>
> I am facing a problem, and i don't known how to solve it.
>
> I have two web sites working and available on the internet :
> - applications.example.com <http://applications.example.com>
> - secure.example.com <http://secure.example.com>
>
> I would like :
> 1) to allow FULL access FROM applications.example.com 
> <http://applications.example.com> TO secure.example.com 
> <http://secure.example.com>  ( without any authentication)
>
> AND
>
> 2)  to allow access FROM Internet TO secure.example.com 
> <http://secure.example.com> only with LDAP Authentification.
> PS: I know how to configure ldap authentication, that is not the matter
>
> What apache directive should I use ? mod_rewrite ? http_referer ?
>
> Thanks,
>
>
>
>
>

Re: [users@httpd] HTTP_REFERER and Access Control

Posted by Tom Evans <te...@googlemail.com>.

On Fri, Oct 11, 2013 at 5:33 PM, Tom Evans <te...@googlemail.com> wrote:
> RewriteCond %{HTTP_REFERER} ^applications.example.com$
> RewriteRule .* - [E=valid_referer:1]
>
> SetEnvIf Referer applications\.example\.com valid_referer=1

Doh! I thought I had removed the mod_rewrite way of setting the
environment variable - you only need one of these two options,
"SetEnvIf" is superior.

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] HTTP_REFERER and Access Control

Posted by Philippe Marcoussis <ph...@gmail.com>.

Thanks for all of your responses
Le 11 oct. 2013 18:33, "Tom Evans" <te...@googlemail.com> a écrit :

> On Fri, Oct 11, 2013 at 3:58 PM, Philippe Marcoussis
> <ph...@gmail.com> wrote:
> > Hello,
> >
> > I am facing a problem, and i don't known how to solve it.
> >
> > I have two web sites working and available on the internet :
> > - applications.example.com
> > - secure.example.com
> >
> > I would like :
> > 1) to allow FULL access FROM applications.example.com TO
> secure.example.com
> > ( without any authentication)
>
> I presume from the subject what you mean here is that requests with a
> referer of "applications.example.com" are allowed to access
> "secure.example.com", and not that requests that are from the host
> "applications.example.com" are allowed on the host
> "secure.example.com".
>
> >
> > AND
> >
> > 2)  to allow access FROM Internet TO secure.example.com only with LDAP
> > Authentification.
> > PS: I know how to configure ldap authentication, that is not the matter
> >
> > What apache directive should I use ? mod_rewrite ? http_referer ?
>
> In 2.2/2.4, something like this might work (untested):
>
> RewriteCond %{HTTP_REFERER} ^applications.example.com$
> RewriteRule .* - [E=valid_referer:1]
>
> SetEnvIf Referer applications\.example\.com valid_referer=1
>
> <Location />
>   Deny from all
>   Allow from env=valid_referer
>   AuthType basic
>   AuthBasicProvider ldap
>   AuthLDAPURL ....
>   Require valid-user
>   Satisfy any
> </Location>
>
> The tricky bit is getting the referer check in to the standard AAA, so
> that it can be combined with "Satisfy any".
>
> BTW, even if this does work, it is not a good idea. Referer is not a
> required HTTP field, browsers often do not send it to requests made
> from a different domain (eg this scenario) if configured "securely",
> and since it is unauthenticated information submitted by the user, can
> be easily circumvented if the user so desires.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] HTTP_REFERER and Access Control

Posted by Tom Evans <te...@googlemail.com>.

On Fri, Oct 11, 2013 at 3:58 PM, Philippe Marcoussis
<ph...@gmail.com> wrote:
> Hello,
>
> I am facing a problem, and i don't known how to solve it.
>
> I have two web sites working and available on the internet :
> - applications.example.com
> - secure.example.com
>
> I would like :
> 1) to allow FULL access FROM applications.example.com TO secure.example.com
> ( without any authentication)

I presume from the subject what you mean here is that requests with a
referer of "applications.example.com" are allowed to access
"secure.example.com", and not that requests that are from the host
"applications.example.com" are allowed on the host
"secure.example.com".

>
> AND
>
> 2)  to allow access FROM Internet TO secure.example.com only with LDAP
> Authentification.
> PS: I know how to configure ldap authentication, that is not the matter
>
> What apache directive should I use ? mod_rewrite ? http_referer ?

In 2.2/2.4, something like this might work (untested):

RewriteCond %{HTTP_REFERER} ^applications.example.com$
RewriteRule .* - [E=valid_referer:1]

SetEnvIf Referer applications\.example\.com valid_referer=1

<Location />
  Deny from all
  Allow from env=valid_referer
  AuthType basic
  AuthBasicProvider ldap
  AuthLDAPURL ....
  Require valid-user
  Satisfy any
</Location>

The tricky bit is getting the referer check in to the standard AAA, so
that it can be combined with "Satisfy any".

BTW, even if this does work, it is not a good idea. Referer is not a
required HTTP field, browsers often do not send it to requests made
from a different domain (eg this scenario) if configured "securely",
and since it is unauthenticated information submitted by the user, can
be easily circumvented if the user so desires.

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org