Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1666510513 for ; Fri, 11 Oct 2013 16:36:47 +0000 (UTC) Received: (qmail 55468 invoked by uid 500); 11 Oct 2013 16:36:43 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 55443 invoked by uid 500); 11 Oct 2013 16:36:43 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 55435 invoked by uid 99); 11 Oct 2013 16:36:43 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Oct 2013 16:36:43 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of philippe.marcoussis@gmail.com designates 209.85.212.174 as permitted sender) Received: from [209.85.212.174] (HELO mail-wi0-f174.google.com) (209.85.212.174) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Oct 2013 16:36:37 +0000 Received: by mail-wi0-f174.google.com with SMTP id cb5so1166281wib.1 for ; Fri, 11 Oct 2013 09:36:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=EkUnz9OiBE/ZycatJFDJ4AYtZiD40bIe3iMl/rUpRSM=; b=r4OdbOzqaDWqpMsAcszWc0S8lrJucV1JSzHULnFOY30JpxxWrJ0katFf2XVVLPGP6G aknqwpoGAFLrdLZPvT4NRgB1UFZeo5cuBlwXCVNrGO8nJT96FxgBTArFjca4oNtsNbK5 5muoJSI7CH0IGfMhSE7W0wIqLcs6HEt/GxeFHRUFGMBhJfOVcJ8rWwNlqaAqHPaO7Nab 58C6cWC7kVrfrQib/57pOVZ50FXyodzsPdtNyK3FfUG0xzSNeU97vUawJq9Wxxzye8SI sWiOjuprF9idxL7jZii0t8mfVYBym0poqjY1I86vthMMBESNoB3jZhi/LUKWEZva22Zd SdNQ== MIME-Version: 1.0 X-Received: by 10.180.89.98 with SMTP id bn2mr3951426wib.42.1381509377479; Fri, 11 Oct 2013 09:36:17 -0700 (PDT) Received: by 10.194.43.200 with HTTP; Fri, 11 Oct 2013 09:36:17 -0700 (PDT) Received: by 10.194.43.200 with HTTP; Fri, 11 Oct 2013 09:36:17 -0700 (PDT) In-Reply-To: References: Date: Fri, 11 Oct 2013 18:36:17 +0200 Message-ID: From: Philippe Marcoussis To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=f46d04447fbbb2dc0404e879b797 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] HTTP_REFERER and Access Control --f46d04447fbbb2dc0404e879b797 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thanks for all of your responses Le 11 oct. 2013 18:33, "Tom Evans" a =E9crit : > On Fri, Oct 11, 2013 at 3:58 PM, Philippe Marcoussis > wrote: > > Hello, > > > > I am facing a problem, and i don't known how to solve it. > > > > I have two web sites working and available on the internet : > > - applications.example.com > > - secure.example.com > > > > I would like : > > 1) to allow FULL access FROM applications.example.com TO > secure.example.com > > ( without any authentication) > > I presume from the subject what you mean here is that requests with a > referer of "applications.example.com" are allowed to access > "secure.example.com", and not that requests that are from the host > "applications.example.com" are allowed on the host > "secure.example.com". > > > > > AND > > > > 2) to allow access FROM Internet TO secure.example.com only with LDAP > > Authentification. > > PS: I know how to configure ldap authentication, that is not the matter > > > > What apache directive should I use ? mod_rewrite ? http_referer ? > > In 2.2/2.4, something like this might work (untested): > > RewriteCond %{HTTP_REFERER} ^applications.example.com$ > RewriteRule .* - [E=3Dvalid_referer:1] > > SetEnvIf Referer applications\.example\.com valid_referer=3D1 > > > Deny from all > Allow from env=3Dvalid_referer > AuthType basic > AuthBasicProvider ldap > AuthLDAPURL .... > Require valid-user > Satisfy any > > > The tricky bit is getting the referer check in to the standard AAA, so > that it can be combined with "Satisfy any". > > BTW, even if this does work, it is not a good idea. Referer is not a > required HTTP field, browsers often do not send it to requests made > from a different domain (eg this scenario) if configured "securely", > and since it is unauthenticated information submitted by the user, can > be easily circumvented if the user so desires. > > Cheers > > Tom > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --f46d04447fbbb2dc0404e879b797 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Thanks for all of your responses

Le 11 oct. 2013 18:33, "Tom Evans" <= ;tevans.uk@googlemail.com&g= t; a =E9crit :
On Fri, Oct 11, 2013 at 3:58 PM, Philippe Marcoussis
<philippe.marcoussis@gm= ail.com> wrote:
> Hello,
>
> I am facing a problem, and i don't known how to solve it.
>
> I have two web sites working and available on the internet :
> - applic= ations.example.com
> - secure.examp= le.com
>
> I would like :
> 1) to allow FULL access FROM applications.example.com TO secure.example.com
> ( without any authentication)

I presume from the subject what you mean here is that requests with a
referer of "applications.example.com" are allowed to access
"secure.exampl= e.com", and not that requests that are from the host
"applica= tions.example.com" are allowed on the host
"secure.exampl= e.com".

>
> AND
>
> 2) =A0to allow access FROM Internet TO secure.example.com only with LDAP
> Authentification.
> PS: I know how to configure ldap authentication, that is not the matte= r
>
> What apache directive should I use ? mod_rewrite ? http_referer ?

In 2.2/2.4, something like this might work (untested):

RewriteCond %{HTTP_REFERER} ^applications.example.com$
RewriteRule .* - [E=3Dvalid_referer:1]

SetEnvIf Referer applications\.example\.com valid_referer=3D1

<Location />
=A0 Deny from all
=A0 Allow from env=3Dvalid_referer
=A0 AuthType basic
=A0 AuthBasicProvider ldap
=A0 AuthLDAPURL ....
=A0 Require valid-user
=A0 Satisfy any
</Location>

The tricky bit is getting the referer check in to the standard AAA, so
that it can be combined with "Satisfy any".

BTW, even if this does work, it is not a good idea. Referer is not a
required HTTP field, browsers often do not send it to requests made
from a different domain (eg this scenario) if configured "securely&quo= t;,
and since it is unauthenticated information submitted by the user, can
be easily circumvented if the user so desires.

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

--f46d04447fbbb2dc0404e879b797--