1

I would like to configure Apache (2.2)to restrict what domains users can access e.g. if apache FQDN is myapache.myfunnydomain.com then apache will only allow requests to resources in .myfunnydomain.com (or whatever domain I configure as legal) and refuse all other requests (redirect to error page)

Use case is:

  1. User attempts access to restricted resource
  2. I use OpenAm / OpenAm policyAgent for authentication (PolicyAgent installs as Apache module that listens to all traffic)
  3. OpenAm policyAgent module intercepts this and redirects user to login page
  4. The url for this login page is of the form www.loginpage.com/?goto=originallyrequestedresource.com
  5. Once user presses login, this POST goes to the parallel OpenAM system
  6. Once OpenAM authenticates it uses this goto to redirect the user to the value of 'goto' (using 302)
  7. I want to ensure that a user can never be redirected to a domain other than my allowed domain

e.g. is someone hacks the system and manages to change the value of goto then apache will not allow this request to succeed

user1843591
  • 157
  • 1
  • 9
  • 1
    If you want apache to only respond to requests for FQDNs you've explicitly configured you can use a "catch all" dummy virtual host. – Krist van Besien May 15 '13 at 04:50

1 Answers1

0

Create vhost.. The order of vhost matters.. the first vhost is served if none of the vhost matches..

take a look at http://httpd.apache.org/docs/2.2/vhosts/name-based.html

create something like

NameVirtualHost *:80

<VirtualHost *:80>
ServerName dummy.domain.tld
ServerAlias domain.tld *.domain.tld
DocumentRoot /www/domain/dummy
</VirtualHost>

<VirtualHost *:80>
ServerName www.domain.tld
DocumentRoot /www/otherdomain
</VirtualHost>

Let the first vhost be an catch-all vhost..(redirecting to an error page if it was accessed regardless of the request)

then the subsequent vhosts can be specific vhosts that respond to specific fqdn...

In the above example all the request that does not match 'wwww.domain.tld' will be seved by the first vhost....

You might also want to read-up on serverAlias directive from http://httpd.apache.org/docs/2.2/mod/core.html#serveralias

--Hope this helps...

vijay rajah
  • 161
  • 2
  • 9
  • Hi, thanks for the reply...I don;t think this will work in my use case. Apologies but I don't i explained myself properly in the first place. I have updated the question to better explain my scenario... thanks again... – user1843591 May 16 '13 at 10:08