0

I'm using apache 2.4.12 (Ubunutu 15.10) as an oauth2 proxy behind a node app. The app sends lots of unauthenticated requests before login b/c it doesn't know it's not authenticated (it doesn't know/care about the proxy) which creates lots of large cookies which can cause issues.

What I'd like to do is say if a particular cookie doesn't exist (mod_auth_openidc_session) -- which means it hasn't auth'd yet -- block all requests to my server. So far I have this but I'm not sure if this is correct (since the condition takes time to repro):

RewriteEngine On
RewriteCond %{HTTP_COOKIE} !mod_auth_openidc_session
RewriteRule .*my.server.com.* [F]

Is this doing what I want?:

Block all requests to http(s)://my.server.com/ or http(s)://my.server.com/login etc unless the cookie mod_auth_openidc_session is present.

Trimbee
  • 33
  • 1
  • 7

1 Answers1

0

Your overall goal strikes me as odd, but with respect to your rewrite recipe, the RewriteRule directive is wrong. The general syntax is RewriteRule Pattern Substitution [flags], where the Pattern marches against the path in the url, but since your matching is fine by the rewrite Cond rule you might just want RewriteRule (.*) $1 [F]. If you do want to match only the one host, then that needs another RewriteCond rule to match against HTTP_HOST.

mc0e
  • 5,786
  • 17
  • 31
  • Thanks so much. There were two useful points here. Obviously answering how to do the rewrite but then also pointing out having more rewrite conditions is a good idea. So, putting it all together this was good for me: `RewriteCond %{HTTP_HOST} ^my\.server\.com$ RewriteCond %{HTTP_COOKIE} !mod_auth_openidc_session RewriteCond %{REQUEST_URI} ^/websocketpath [NC] RewriteRule (.*) $1 [F,L,NC]` – Trimbee Dec 15 '15 at 05:27
  • If you just want to pass the URL through unchanged then it's preferable to simply use a hyphen for the substitution, ie. `RewriteRule ^ - [F]` - no need for the `L` or `NC` flags here (`F` implies `L`). – MrWhite Sep 21 '16 at 09:16