I have two server, foo.example.com and bar.example.com. They are on two different servers but on the same domain. On foo.example.com I have the page on there create a cookie using
setcookie('name','value',time()+3600,'/','example.com',1)
and it gets created just as expected.
On bar.example.com I need to restrict access to only those with that cookie and if it's not there to redirect to a custom 403 page that tells the user they need to log into foo.example.com. This is the rewrite rule I have.
RewriteCond %{HTTP_COOKIE} !name=value [NC]
RewriteCond %{REQUEST_URI} !^/error/403.html
RewriteRule ^(.*)$ /error/403.html [R,NC,L]
But I keep on getting the 403 page even though the cookie exists and has the correct domain listed and values are correct.
What is wrong with this code? Is what I'm trying to do even possible?
Related
I have an e-commerce site that resides in:
http://dev.gworks.mobi/
When a customer clicks on the signin link, the browser gets redirected to another domain, in order for authentication:
http://frock.gworks.mobi:8080/openam/XUI/#login/&goto=http%3A%2F%2Fdev.gworks.mobi%3A80%2Fcustomer%2Faccount%2Flogin%2Freferer%2FaHR0cDovL2Rldi5nd29ya3MubW9iaS8%2C%2F
I'm trying to rewrite http://dev.gworks.mobi/* to http://frock.gworks.mobi:8080/openam/*, without redirection.
I've tried this in the .htaccess of the dev.gworks.mobi site:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/openam(.*)$ [NC]
RewriteRule ^(.*)$ http://frock.gworks.mobi:8080/$1 [P,L]
</IfModule>
But when I access http://dev.gworks.mobi/openam, it shows a 404 page not found page.
Can anyone help me to achieve my use case?
Try this:
RewriteEngine on
RewriteBase /
# Make sure it's not an actual file being accessed
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Match the host
RewriteCond %{HTTP_HOST} ^dev\.gworks\.mobi
# Rewrite the request if it starts with "openam"
RewriteRule ^openam(.*)$ http://frock.gworks.mobi:8080/$1 [L,QSA]
This will rewrite all the requests to dev.gworks.mobi/openam to frock.gworks.mobi:8080.
If you want to mask the URI in a way that it's not visible to the visitor that she's visiting the authentication app, you need to add a P flag. Please note that it needs Apache's mod_proxy module in place:
RewriteRule ^openam(.*)$ http://frock.gworks.mobi:8080/$1 [P,L,QSA]
Feel free to drop the L flag, if it's not the last rewrite rule. See RewriteRule Flags for more information.
The 404
If it's all in place and you're still getting a 404 error, make sure that the target URL is not throwing 404 errors in the first place.
Second, check if you're still getting the error with the correct referrer URI set. It might be designed in a way to throw a 404, if the referrer is not correctly set. If that's the case, which I suspect, you need to use the R flag and redirect instead of proxying the request.
Last thing that comes to my mind, some webapps are not built in a way to figure out the URI address. The host, as well as the port number, might be hard-coded somewhere in the config files. Make sure that the authentication app is able to be run from another URL without the need to edit the configs.
Test
You can test the rewriterule online:
In IBM IHS Server I want to allow few urls to pass to app server(WAS) without validation and rest will be validated by a HTTP cookie.
So for example /Foo.do, /example.html, /example.css will be allowed by the IHS Server as passthrough. Rest of the incoming URLs will be validated by the cookie (Configured in IHS Server configuration like WAS plugin xml) whether the browser has that cookie or not.
While it's a bad idea because a secret cookie for access is pretty weak , one way to do this is to use mod_rewrite to inspect the cookie and forbid access if it's not present:
RewriteEngine ON
RewriteCond %{REQUEST_URI} ^/(Foo.do|example.html|example.css) [OR]
RewriteCond %{HTTP_COOKIE} my-secret-cookiename
RewriteRule .* - [L]
RewriteRule .* - [F]
The first rule skips the second rule when either of the conditions match. The 2nd rule fails the request with a 403.
You would need these rules once appended to httpd.conf and once in each <virtualhost>
I am using a single domain certificate (only on the www. subdomain) and want to have all users using this.
Currently i have the following in my htaccess file:
## force HTTPS and www. if any of them are not already present
RewriteCond %{HTTP_HOST} (?!^www\.)^(.+)$ [OR]
RewriteCond %{HTTPS} off
RewriteRule ^ https://www.%1%{REQUEST_URI} [R=301,L]
But the problem is, that this seems to lead to two separate redirects:
http://domain.com -> https://domain.com -> https://www.domain.com
This means 3 RTTs for the user until he reaches the correct page. In addition only the second redirect seems to be permanent, the first one (http to https) seems to be temporary,
Is there any solution which directly sends requests of from http to https+www?
Many thanks in advance!
There's only one redirect. The target is https://www.%1. There is no redirect to http://www.%1 and no redirect to https://%1. Only https://www.%1.
No idea how you arrived at the conclusion that this rule caused 2 different redirects. Is this what your access logs are saying? Or the browser's network console?
I'm hosting 2 sites on the same server with different domains. I'd like to set up a redirect for a specific page on domain 1 and have it go to another external url. Have searched and searched and experimented but can't get it work.
The nearest I've got is
RewriteRule ^oldpagename$ http://externalsite/page [R=301,L]
but the problem with this is that it catches that url on the other domain as well. How can I restrict it to a specific domain?
thanks
You need to add a condition to match against the variable `%{HTTP_HOST}:
RewriteCond %{HTTP_HOST} ^(www\.)?domain1.com$ [NC]
RewriteRule ^oldpagename$ http://externalsite/page [R=301,L]
I have having a real problem here and I am hoping someone can help me out - let me explain:
I have a site - domain.co.uk - for the past 6 months this site has been sat on holding pages so google gets to know the domain.
I also have domain.com and domain.org - these were also set up at the same time.
We have a new website under development using a Drupal multisite install where all of the multisites are sub-domains.
Here is my problem!! The new website is now under development and I need to add various rules to the htaccess to redirect back to the holding pages but these rules are new to me and I dont really have a clue what I am doing!
This is what I need to do:
The primary domain is domain.co.uk.
I need to redirect all users requesting domain.co.uk to domain.co.uk/holding/index.php,
but I need to put an IP address exclusion in for us and the developers for testing the new site so we can see what is going on with the new website.
The website also has .com alias and this needs to go to domain.co.uk for all requests.
So here is what I have so far and it does not work as it should:
// I set this to re-write anything except the subdomains I want to see
RewriteCond %{HTTP_HOST} !^(www.domain\.co\.uk)|(subdomain1.domain\.co\.uk)|(subdomain2.domain\.co\.uk)|(subdomain3.domain\.co\.uk)$ [NC]
RewriteRule (.*)$ http://www\.domain\.co\.uk%{REQUEST_URI} [R=302,L]
// then I have put in some rules for checking the ip's and producing a redirect that does not match earlier requests.
RewriteCond %{REMOTE_HOST} !^(xx\.xxx\.xxx\.xx)|(xx\.xx\.xx\.xx)$
RewriteCond %{REQUEST_URI} !/holding/index\.php$ [NC]
RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif|css) [NC]
RewriteRule ^(.*)$ /holding/index\.php [R=302,L]
The result so far is:
if a general user goes to the domain.co.uk it redirects to the holding page - GOOD
if a user from the 'excluded ip's address list goes to domain.co.uk they also get redirected - BAD - but if they go to .domain.co.uk/index.php the Drupal site loads with the new design.
If a user from the excluded ip's list goes to subdomain1.domain.co.uk they get redirected to the holding pages - BAD- this, I think, should not happen due to the 1st rule but I am totally lost.
Anyone got any ideas how to get this working so that a user with an allowed ip can access the new website and all it's subdomains but any general user is directed to the holding pages.
Many thanks - my head is about to explode!!
${REMOTE_ADDR} is the IP Address, ${REMOTE_HOST} is the hostname if available.
You could also temporarily add ${REMOTE_ADDR} into the redirect to the holding page to check that you are putting the right addresses in, e.g.:
RewriteRule ^(.*)$ /holding/index\.php?ip=${REMOTE_ADDR} [R=302,L]