Return-Path: 
 <users-return-19179-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 27625 invoked by uid 500); 27 Dec 2002 15:06:39 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 27613 invoked from network); 27 Dec 2002 15:06:39 -0000
Received: from sccrmhc03.attbi.com (204.127.202.63)
  by daedalus.apache.org with SMTP; 27 Dec 2002 15:06:39 -0000
Received: from entropy.attbi.com
 (12-254-29-236.client.attbi.com[12.254.29.236])
          by sccrmhc03.attbi.com (sccrmhc03) with ESMTP
          id <2002122715063600300lqd6ne>; Fri, 27 Dec 2002 15:06:37 +0000
Received: from localhost (tim@localhost)
	by entropy.attbi.com (8.11.6+Sun/8.11.6) with ESMTP id gBRF5wr09459
	for <users@httpd.apache.org>; Fri, 27 Dec 2002 08:05:58 -0700 (MST)
X-Authentication-Warning: entropy.attbi.com: tim owned process doing -bs
Date: Fri, 27 Dec 2002 08:05:58 -0700 (MST)
From: Tim Wort <tim@pobox.com>
X-X-Sender: <tim@entropy.attbi.com>
To: <users@httpd.apache.org>
In-Reply-To: <PGEMJAEAOPPCLIJCEIIGGELHCDAA.john@opensystems.co.nz>
Message-ID: <Pine.GSO.4.33.0212270756370.28214-100000@entropy.attbi.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: Re: [users@httpd] mod_rewrite and AuthExpire




My answer would not be a Apache solution to the problem although using
Apache as the reverse proxy is part of the solution. First, I think you
need to rely on a firewall between the proxy and the interal servers. The
firewall then can block all internet access the does not originate from
the proxy. I would also add that relying on HTTP_REFERER for security is
not a great idea, referers are easily forged using tools included in the
DSNIFF toolkit. You site a giac paper, you might also look at:

http://rr.sans.org/web/reverse_proxy.php

A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek from Sans.

I am sure others on the list will offer other solutions and/or opinions.




On Fri, 27 Dec 2002, John Kirkman wrote:


> Hi,
>     I have been tasked with putting a reverse proxy in front of a OWA2K
> server to tighten security and have put in place a Linux box running Apache
> 1.3 with a variety of modules. These include proxy_add_forward,
> mod_auth_ldap and the perl modules mod_rewrite, and AuthExpire. There is an
> index.html page on the Apache web server accessed via the Internet as say
> www.extranet.somecompany.com it will have two links - one to
> www.intranet.somecompany.com and the other www.webmail.somecompany.com.
> Access to index.html will be via https: and authentication against an
> external database is required.
>
> For a description of the solution please see
> http://www.giac.org/practical/Mattison_Ward_GSEC.rtf, I have added a web
> page to the front that requires the user authenticates against an internal
> LDAP database.
>
> Whilst the implementation does work I would like to tighten security a bit
> more and to this end I have the following questions:
>
>
> What must the RewriteCondition/RewriteRule statements be for mod_rewrite so
> that a user cannot bypass the index.html page and go straight to either the
> intranet pages or the OWA server? Whilst they will initially go to
> https://www.extranet.somecompany.com/index.html they will subsequently be
> coming into the server as any of:
>                             https:/www.extranet.somecompany.com/exchange/
>                         https:/www.extranet.somecompany.com/exchweb/
>                         https:/www.extranet.somecompany.com/public/
>                         https:/www.extranet.somecompany.com/intranet
> I believe I can start with a HTTP_REFERER - having had to follow the link
> from the index.html page, but this will not be the case when I am following
> the links for subsequent pages.
>
> Whilst I currently have the AuthExpire working against pages that are local
> to the apache server it does not work with pages dished out via the
> mod_rewrite rules & proxy. Is it possible to control access to pages dished
> out by the proxy server such that after so many seconds of inactivity any
> attempt to reload a page, or follow a link, will require re-authentication.
>
> Hoping someone may be of assistance.
>
> Rgds,
>     John Kirkman
>     ____please_reply_to:john@opensystems.co.nz_______
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=        Inkling Research Inc.      =
=    Tim.Wort@InklingResearch.com   =
=        Tim.Wort@pobox.com         =
=                                   =
=        Eschew Obfuscation         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org