0

I'm using apache 2.4.12 (Ubunutu 15.10) as an oauth2 proxy behind a node app. The app sends lots of unauthenticated requests before login b/c it doesn't know it's not authenticated (it doesn't know/care about the proxy) which creates lots of large cookies which can cause issues.

What I'd like to do is say if a particular cookie doesn't exist (mod_auth_openidc_session) -- which means it hasn't auth'd yet -- block all requests to my server. So far I have this but I'm not sure if this is correct (since the condition takes time to repro):

RewriteEngine On
RewriteCond %{HTTP_COOKIE} !mod_auth_openidc_session
RewriteRule .*my.server.com.* [F]

Is this doing what I want?:

Block all requests to http(s)://my.server.com/ or http(s)://my.server.com/login etc unless the cookie mod_auth_openidc_session is present.

Trimbee
  • 53

1 Answers1

0

Your overall goal strikes me as odd, but with respect to your rewrite recipe, the RewriteRule directive is wrong. The general syntax is RewriteRule Pattern Substitution [flags], where the Pattern marches against the path in the url, but since your matching is fine by the rewrite Cond rule you might just want RewriteRule (.*) $1 [F]. If you do want to match only the one host, then that needs another RewriteCond rule to match against HTTP_HOST.

mc0e
  • 5,979