1

I would like to configure Apache (2.2)to restrict what domains users can access e.g. if apache FQDN is myapache.myfunnydomain.com then apache will only allow requests to resources in .myfunnydomain.com (or whatever domain I configure as legal) and refuse all other requests (redirect to error page)

Use case is:

  1. User attempts access to restricted resource
  2. I use OpenAm / OpenAm policyAgent for authentication (PolicyAgent installs as Apache module that listens to all traffic)
  3. OpenAm policyAgent module intercepts this and redirects user to login page
  4. The url for this login page is of the form www.loginpage.com/?goto=originallyrequestedresource.com
  5. Once user presses login, this POST goes to the parallel OpenAM system
  6. Once OpenAM authenticates it uses this goto to redirect the user to the value of 'goto' (using 302)
  7. I want to ensure that a user can never be redirected to a domain other than my allowed domain

e.g. is someone hacks the system and manages to change the value of goto then apache will not allow this request to succeed

user1843591
  • 157

1 Answers1

0

Create vhost.. The order of vhost matters.. the first vhost is served if none of the vhost matches..

take a look at http://httpd.apache.org/docs/2.2/vhosts/name-based.html

create something like 

NameVirtualHost *:80

<VirtualHost *:80>
ServerName dummy.domain.tld
ServerAlias domain.tld *.domain.tld
DocumentRoot /www/domain/dummy
</VirtualHost>

<VirtualHost *:80>
ServerName www.domain.tld
DocumentRoot /www/otherdomain
</VirtualHost>

Let the first vhost be an catch-all vhost..(redirecting to an error page if it was accessed regardless of the request)

then the subsequent vhosts can be specific vhosts that respond to specific fqdn...

In the above example all the request that does not match 'wwww.domain.tld' will be seved by the first vhost....

You might also want to read-up on serverAlias directive from http://httpd.apache.org/docs/2.2/mod/core.html#serveralias

--Hope this helps...

vijay rajah
  • 161