httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Wort <...@pobox.com>
Subject Re: [users@httpd] mod_rewrite and AuthExpire
Date Fri, 27 Dec 2002 15:05:58 GMT



My answer would not be a Apache solution to the problem although using
Apache as the reverse proxy is part of the solution. First, I think you
need to rely on a firewall between the proxy and the interal servers. The
firewall then can block all internet access the does not originate from
the proxy. I would also add that relying on HTTP_REFERER for security is
not a great idea, referers are easily forged using tools included in the
DSNIFF toolkit. You site a giac paper, you might also look at:

http://rr.sans.org/web/reverse_proxy.php

A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek from Sans.

I am sure others on the list will offer other solutions and/or opinions.




On Fri, 27 Dec 2002, John Kirkman wrote:


> Hi,
>     I have been tasked with putting a reverse proxy in front of a OWA2K
> server to tighten security and have put in place a Linux box running Apache
> 1.3 with a variety of modules. These include proxy_add_forward,
> mod_auth_ldap and the perl modules mod_rewrite, and AuthExpire. There is an
> index.html page on the Apache web server accessed via the Internet as say
> www.extranet.somecompany.com it will have two links - one to
> www.intranet.somecompany.com and the other www.webmail.somecompany.com.
> Access to index.html will be via https: and authentication against an
> external database is required.
>
> For a description of the solution please see
> http://www.giac.org/practical/Mattison_Ward_GSEC.rtf, I have added a web
> page to the front that requires the user authenticates against an internal
> LDAP database.
>
> Whilst the implementation does work I would like to tighten security a bit
> more and to this end I have the following questions:
>
>
> What must the RewriteCondition/RewriteRule statements be for mod_rewrite so
> that a user cannot bypass the index.html page and go straight to either the
> intranet pages or the OWA server? Whilst they will initially go to
> https://www.extranet.somecompany.com/index.html they will subsequently be
> coming into the server as any of:
>                             https:/www.extranet.somecompany.com/exchange/
>                         https:/www.extranet.somecompany.com/exchweb/
>                         https:/www.extranet.somecompany.com/public/
>                         https:/www.extranet.somecompany.com/intranet
> I believe I can start with a HTTP_REFERER - having had to follow the link
> from the index.html page, but this will not be the case when I am following
> the links for subsequent pages.
>
> Whilst I currently have the AuthExpire working against pages that are local
> to the apache server it does not work with pages dished out via the
> mod_rewrite rules & proxy. Is it possible to control access to pages dished
> out by the proxy server such that after so many seconds of inactivity any
> attempt to reload a page, or follow a link, will require re-authentication.
>
> Hoping someone may be of assistance.
>
> Rgds,
>     John Kirkman
>     ____please_reply_to:john@opensystems.co.nz_______
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=        Inkling Research Inc.      =
=    Tim.Wort@InklingResearch.com   =
=        Tim.Wort@pobox.com         =
=                                   =
=        Eschew Obfuscation         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message