httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philippe Marcoussis <philippe.marcous...@gmail.com>
Subject Re: [users@httpd] HTTP_REFERER and Access Control
Date Fri, 11 Oct 2013 16:36:17 GMT
Thanks for all of your responses
Le 11 oct. 2013 18:33, "Tom Evans" <tevans.uk@googlemail.com> a écrit :

> On Fri, Oct 11, 2013 at 3:58 PM, Philippe Marcoussis
> <philippe.marcoussis@gmail.com> wrote:
> > Hello,
> >
> > I am facing a problem, and i don't known how to solve it.
> >
> > I have two web sites working and available on the internet :
> > - applications.example.com
> > - secure.example.com
> >
> > I would like :
> > 1) to allow FULL access FROM applications.example.com TO
> secure.example.com
> > ( without any authentication)
>
> I presume from the subject what you mean here is that requests with a
> referer of "applications.example.com" are allowed to access
> "secure.example.com", and not that requests that are from the host
> "applications.example.com" are allowed on the host
> "secure.example.com".
>
> >
> > AND
> >
> > 2)  to allow access FROM Internet TO secure.example.com only with LDAP
> > Authentification.
> > PS: I know how to configure ldap authentication, that is not the matter
> >
> > What apache directive should I use ? mod_rewrite ? http_referer ?
>
> In 2.2/2.4, something like this might work (untested):
>
> RewriteCond %{HTTP_REFERER} ^applications.example.com$
> RewriteRule .* - [E=valid_referer:1]
>
> SetEnvIf Referer applications\.example\.com valid_referer=1
>
> <Location />
>   Deny from all
>   Allow from env=valid_referer
>   AuthType basic
>   AuthBasicProvider ldap
>   AuthLDAPURL ....
>   Require valid-user
>   Satisfy any
> </Location>
>
> The tricky bit is getting the referer check in to the standard AAA, so
> that it can be combined with "Satisfy any".
>
> BTW, even if this does work, it is not a good idea. Referer is not a
> required HTTP field, browsers often do not send it to requests made
> from a different domain (eg this scenario) if configured "securely",
> and since it is unauthenticated information submitted by the user, can
> be easily circumvented if the user so desires.
>
> Cheers
>
> Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message