In IBM IHS Server I want to allow few urls to pass to app server(WAS) without validation and rest will be validated by a HTTP cookie.
So for example /Foo.do, /example.html, /example.css will be allowed by the IHS Server as passthrough. Rest of the incoming URLs will be validated by the cookie (Configured in IHS Server configuration like WAS plugin xml) whether the browser has that cookie or not.
While it's a bad idea because a secret cookie for access is pretty weak , one way to do this is to use mod_rewrite to inspect the cookie and forbid access if it's not present:
RewriteEngine ON
RewriteCond %{REQUEST_URI} ^/(Foo.do|example.html|example.css) [OR]
RewriteCond %{HTTP_COOKIE} my-secret-cookiename
RewriteRule .* - [L]
RewriteRule .* - [F]
The first rule skips the second rule when either of the conditions match. The 2nd rule fails the request with a 403.
You would need these rules once appended to httpd.conf and once in each <virtualhost>
Related
we have 2 Urls pointing to same apache instance. One URL, for Admin and other for client's. When accessing admin URL, should allow /admin where as /admin should be denied while accessing through client URL. Could you help with sample apache rewrite rules.
https://example-admin.com/admin - Admins allowed to access admin url
https://example-client.com/admin - Client should not allowed to access admin url
https://example-client.com/client - Client allowed to access client site
UPDATE:
I tried this below to block admin context path for client URL. But this isn't working:
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/auth/admin(/.*)? [NC]
RewriteRule ^ - [F]
RewriteCond %{REQUEST_URI} ^/auth/admin(/.*)? [NC]
RewriteRule ^ - [F]
Where did /auth come from? It's not in your example URLs. However, you need to check the requested hostname, since you only want to block paths that start /admin when accessed from the example-client.com host. In other words, you need to check the value of the Host HTTP request header, which is available in the HTTP_HOST server variable.
For example:
RewriteCond %{HTTP_HOST} ^(www\.)?example-client\.com [NC]
RewriteRule ^admin($|/) - [F]
And this needs to go near the top of your root .htaccess file.
You don't need a separate condition (RewriteCond directive) to check the requested URL-path, as this can be checked (more efficiently) in the RewriteRule directive itself.
I'm trying to force https with a system that uses basic authentication in the URL but when I add the following lines to the apache configuration files:
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R]
the results are 302 errors.
If someone types as the URL:
http://username:password#example.com/api_name.php
Based on the access log, I think the redirect is going to:
https:example.com/api_name.php
What I want is it to redirect to:
https://username:password#example.com/api_name.php
But I also want:
http://example.com/api_name.php
to correctly redirect to:
https://example.com/api_name.php
and not:
http://:#example.com/api_name.php
URL's without credentials contained within the string are working fine and redirect correctly.
How would I make this work?
I'm sure this is something stupid, and I've just been looking at this too long.
I'm running Apache 2.4.10
I want a single directory to force the user into HTTPS. Outside of that directory, I want the user to be bounced back to standard HTTP (unless they are loading the support files for an HTTPS page, eg. images, css)
This is behind a load balancer, and the load balancer is handling the HTTPS, so I'm relying on the X-Forwarded-Proto header as all the requests come into the nodes with the same protocol and port otherwise. I've doublechecked, and the header IS being populated by the LB for both HTTP and HTTPS transactions.
This is what I have in my config:
RewriteCond %{HTTP:X-Forwarded-Proto} http [NC]
RewriteCond %{REQUEST_URI} ^/secureDir/(.*) [NC]
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
RewriteCond %{HTTP:X-Forwarded-Proto} https [NC]
RewriteCond %{REQUEST_URI} !^/secureDir/(.*) [NC]
RewriteCond %{REQUEST_URI} !^.*\.(gif|jpg|png|swf|css|js) [NC]
RewriteRule .* http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
This is what I'm wanting, and what I THINK should be happening.
If the request came in over HTTP AND the request is for a resource in "/secureDir/" - the request will be bounced to HTTPS (at the same REQUEST_URI).
If the request came in over HTTPS and the request is NOT inside "/secureDir/" it will be bounced to HTTP (unless it is just a request for gif|jpg|etc).
This should seamlessly move a user back and forth between HTTPS and HTTP if they move in and out of the secureDir directory ... BUT it is not.
If I hit the secureDir directory, it is not automatically putting me in HTTPS. If I manually request as HTTPS it will put the request through. If I move out of the secureDir directory, it will automatically put me back into HTTP. So, it seems the 2nd set of Rewrite conditions are catching, but not the first.
I've also tried alternating the conditions to look for the inverse (!http, !https - but I still seem to only get one catch)
Any insight as to what I'm overlooking?
Found the error. There was an unterminated rewrite a few lines prior, so it was appending those conditions to the first set of conditions in this group.
For anyone else who may be trying to do a similar thing - the only other thing I changed was to change the "http" match for X-Forwarded-Proto to "^http$" to make sure it wasn't greedy (as I got some 'infinite redirect' conditions if I didn't)
I have two server, foo.example.com and bar.example.com. They are on two different servers but on the same domain. On foo.example.com I have the page on there create a cookie using
setcookie('name','value',time()+3600,'/','example.com',1)
and it gets created just as expected.
On bar.example.com I need to restrict access to only those with that cookie and if it's not there to redirect to a custom 403 page that tells the user they need to log into foo.example.com. This is the rewrite rule I have.
RewriteCond %{HTTP_COOKIE} !name=value [NC]
RewriteCond %{REQUEST_URI} !^/error/403.html
RewriteRule ^(.*)$ /error/403.html [R,NC,L]
But I keep on getting the 403 page even though the cookie exists and has the correct domain listed and values are correct.
What is wrong with this code? Is what I'm trying to do even possible?
I've found 2 different code snippets to force https on my website:
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
and
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
I'm sure that they both work (one's from Httpd Wiki and the other's from SSL shopper). Would someone be able to explain the differences in how they perform the redirect?
They just use different Apache variables to make up the URL for redirect.
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
This first rule takes the filename if one is entered such as myfile.php and appends the redirect with it replacing $1 in the redirect so that you get https://somesite.com/myfile.php
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
The 2nd one using %{HTTP_HOST} will grab the information from the http headers instead to make up the URL used to redirect so entering the same url http://somesite.com/myfile.php will be redirected to https://somesite.com/myfile.php
It's just a matter of telling apache what to use for redirection. Either use the server internal name or use the one sent by the browser.
%{SERVER_NAME}
That is a server internal variable in apache and is defined in the server config.
%{HTTP_HOST}
This is the what is sent by the browser in the HTTP request headers. This is client side while the SERVER_NAME if from the server config.
%{REQUEST_URI}
REQUEST_URI is the path component of the requested URI, such as "/index.html". This is a special Apache variable.
There a many ways that have been done to redirect to https and both should work. Your choice.