Re: HTTP_REFERER and Access Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Oct 11, 2013 at 3:58 PM, Philippe Marcoussis
<philippe.marcoussis@xxxxxxxxx> wrote:
> Hello,
>
> I am facing a problem, and i don't known how to solve it.
>
> I have two web sites working and available on the internet :
> - applications.example.com
> - secure.example.com
>
> I would like :
> 1) to allow FULL access FROM applications.example.com TO secure.example.com
> ( without any authentication)

I presume from the subject what you mean here is that requests with a
referer of "applications.example.com" are allowed to access
"secure.example.com", and not that requests that are from the host
"applications.example.com" are allowed on the host
"secure.example.com".

>
> AND
>
> 2)  to allow access FROM Internet TO secure.example.com only with LDAP
> Authentification.
> PS: I know how to configure ldap authentication, that is not the matter
>
> What apache directive should I use ? mod_rewrite ? http_referer ?

In 2.2/2.4, something like this might work (untested):

RewriteCond %{HTTP_REFERER} ^applications.example.com$
RewriteRule .* - [E=valid_referer:1]

SetEnvIf Referer applications\.example\.com valid_referer=1

<Location />
  Deny from all
  Allow from env=valid_referer
  AuthType basic
  AuthBasicProvider ldap
  AuthLDAPURL ....
  Require valid-user
  Satisfy any
</Location>

The tricky bit is getting the referer check in to the standard AAA, so
that it can be combined with "Satisfy any".

BTW, even if this does work, it is not a good idea. Referer is not a
required HTTP field, browsers often do not send it to requests made
from a different domain (eg this scenario) if configured "securely",
and since it is unauthenticated information submitted by the user, can
be easily circumvented if the user so desires.

Cheers

Tom

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux