Link to home
Start Free TrialLog in
Avatar of WalterRR

asked on

Restrict 'goto' Domain - Apache

I would like to configure Apache (2.2)to restrict what domains users can access e.g. if apache FQDN is then apache will only allow requests to resources in (or whatever domain I configure as legal) and refuse all other requests (redirect to error page)

I use a third party product to enforce user log in, session mgt. etc. If a user tries to access a resource and they have no session the third party product will intercept, and redirect them to a login page. It will construct a URL for the login page with a 'goto'  directing the user to the originally requested resource once the thrid party product has authenticated the user.

I would like to implement this on apache because:

1) It limits our dependence on the third party product
2) Attempts to configure the thrid party product to restrict 'goto' domains have proven unsuccessful
Avatar of arnold
Flag of United States of America image

Not clear what you are looking for.

Use PHP, or a content management system joomla, Wordpress, alfresco etc.
Those can have user authentication builtin.
Avatar of WalterRR



Thanks for the reply. I have authentication already. What I want to do is restrict what domains Apache can send users to..

For ex. If a user tries to access "" with no session the auth system will intercept and redirect to login page with a
 URL www.mypage/login/?goto=

Open in new window

thus using the 'goto' to send them back to their originally requested page once authenticated.

To prevent hacking etc I want apache to restrict what domains the user can be sent to i.e. if some edits the goto to send them to apache will not allow this request.
The Login app/script is the only way to restrict it.
Alternatively, you could use mod_redirect, mod_rewrite to match a pattern for requests requiring your domains. But note there is a resource cost.

What is the source that creates these URLs?
Hi Arnold,

yes..i was thinking thinking that mod_rewrite might be the way to go but I am an apache novice. I have never used mod_redirect.

the source that creates the URL is OpenAM. It sits as a parallel system and redirects the user to the original resource via a goto in the URL once it verifies the username/pw.

So basically,
for mod_rewrite

what ever is in the base URL of the goto part of the URL maybe i need to always rewrite this to my allowed domain?

for mod_redirect?
how would this work?

something like redirect to error page unless base URL = allowed base URL?

I am still unclear, but the rewrite rule will require that goto=http://(*)
If it des not match, that is when rule kicks in.

Where are you foreseeing that the request with goto= anything else?
That is what I am unclear about.
We had a security audit...and the security audit guy said that an unrestricted 'goto' is a vulnerability. He followed the use case as i described, tried to access a page and he got redirected to the login screen with URL containing a goto for the originally requested URL.

So, he had the login page open...


He then manually edited the goto of the url in the browser


OpenAM authenticated him as expected and then redirected him to the this case His point is this is a vulnerability as a hacker could use this to redirect users to a malicious site and so on.

He said we should only allow users be redirected to resources in our trusted domain....hence my series of badly explained questions!
Instead of trying to deal with this on the apache request side, look at whether OpenAM includes a restriction feature that would verify the parameter in the goto assignment.

I am puzzled at what vulnerability the security auditor sees.

An employee goes to the fleet manager to obtain keys for travel. All vehicles equipped with GPS.
OpenAM is the fleet manager. Once the person's credentials are verified keys are handed out.
There is nothing preventing the employee from driving the car to a location other than sanctioned.
In your question you are asking to alter the mechanisms in the car such that it will only work while the person is going to the sanctioned location.

My suggestion, is make sure that prior to handing over the keys OpenAM, checks whether the destination the user is planning on going is sanctioned.
Thanks again, openam does have a server side setting for this but we don't use its "vanilla" installation, and for some unknown reason it won't work with our setup.

Hence, I'm trying to achieve this at Apache once redirect is issued...
The redirect filtering would add unnecessary overhead to the server.  The other issue is what is the consequence of someone manually modifying and submitting a url?

Are you using apache as an internal proxy?

The user must still authenticate into openAM?

I am at a loss of what the consequence of this modification is that your security person sees as an issue.

It is one thing that if a modification such as you outline would grant a person access to a resource they do not or can not access.

Apache is used as a revers proxy and host page for a suite of business tools and yes OpenAm would have to authenticate the user before this could happen..

 One example the security said is that someone (not the current user) could :

a)mock your main gui page and have users interact  with that when they think they have been redirected to a genuine pages
b) use it to get users to downlaoad virus/.exe files and so on

His main point is that  they think they are on business site A, they are actually somewhere else in the world and this exposes the business.
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for taking the time to help