You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Markley, Aaron" <AM...@medcentral.org> on 2002/01/21 14:25:02 UTC

security/redirection

Hello all,

I have a working authorization scheme for my website, let's call it
http://site1.medcentral.org:11111, which first asks for username and
password (using the various "Auth" directives in the virtual host
definition), and then if valid will redirect to the site on our local
intranet that I want secured, http://999.9.9.999.  This whole scheme works
until someone types in the IP address directly; then there isn't any
authentication at all.  Is there a way to completely block access to
999.9.9.999 except from the redirection site?

Thanks,
Aaron

Re: security/redirection

Posted by Daniel Lopez <da...@rawbyte.com>.

Aaron,

You can rely on the REferer: header, but that is not secure as the client is
the one that provides it. You can try setting up a reverse proxy, forcing
all requests to pass thru site1.medcentral.org before reaching 9.9.9.9
Check http://www.webtechniques.com/archives/1998/05/engelschall/ for a
general introduction to reverse proxies
Check the mod_rewrite documentation for some examples on how to do that for
what you suggest.

Daniel



On Mon, Jan 21, 2002 at 08:25:02AM -0500, Markley, Aaron wrote:
> Hello all,
> 
> I have a working authorization scheme for my website, let's call it
> http://site1.medcentral.org:11111, which first asks for username and
> password (using the various "Auth" directives in the virtual host
> definition), and then if valid will redirect to the site on our local
> intranet that I want secured, http://999.9.9.999.  This whole scheme works
> until someone types in the IP address directly; then there isn't any
> authentication at all.  Is there a way to completely block access to
> 999.9.9.999 except from the redirection site?
> 
> Thanks,
> Aaron

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org