Restrict 'goto' Domain - Apache

Posted on 2013-05-14
Last Modified: 2013-06-13
I would like to configure Apache (2.2)to restrict what domains users can access e.g. if apache FQDN is then apache will only allow requests to resources in (or whatever domain I configure as legal) and refuse all other requests (redirect to error page)

I use a third party product to enforce user log in, session mgt. etc. If a user tries to access a resource and they have no session the third party product will intercept, and redirect them to a login page. It will construct a URL for the login page with a 'goto'  directing the user to the originally requested resource once the thrid party product has authenticated the user.

I would like to implement this on apache because:

1) It limits our dependence on the third party product
2) Attempts to configure the thrid party product to restrict 'goto' domains have proven unsuccessful
Question by:WalterRR
  • 6
  • 6
LVL 78

Expert Comment

ID: 39166943
Not clear what you are looking for.

Use PHP, or a content management system joomla, Wordpress, alfresco etc.
Those can have user authentication builtin.

Author Comment

ID: 39167368

Thanks for the reply. I have authentication already. What I want to do is restrict what domains Apache can send users to..

For ex. If a user tries to access "" with no session the auth system will intercept and redirect to login page with a
 URL www.mypage/login/?goto=

Open in new window

thus using the 'goto' to send them back to their originally requested page once authenticated.

To prevent hacking etc I want apache to restrict what domains the user can be sent to i.e. if some edits the goto to send them to apache will not allow this request.
LVL 78

Expert Comment

ID: 39168033
The Login app/script is the only way to restrict it.
Alternatively, you could use mod_redirect, mod_rewrite to match a pattern for requests requiring your domains. But note there is a resource cost.

What is the source that creates these URLs?
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.


Author Comment

ID: 39170798
Hi Arnold,

yes..i was thinking thinking that mod_rewrite might be the way to go but I am an apache novice. I have never used mod_redirect.

the source that creates the URL is OpenAM. It sits as a parallel system and redirects the user to the original resource via a goto in the URL once it verifies the username/pw.

So basically,
for mod_rewrite

what ever is in the base URL of the goto part of the URL maybe i need to always rewrite this to my allowed domain?

for mod_redirect?
how would this work?

something like redirect to error page unless base URL = allowed base URL?

LVL 78

Expert Comment

ID: 39170952
I am still unclear, but the rewrite rule will require that goto=http://(*)
If it des not match, that is when rule kicks in.

Where are you foreseeing that the request with goto= anything else?
That is what I am unclear about.

Author Comment

ID: 39170986
We had a security audit...and the security audit guy said that an unrestricted 'goto' is a vulnerability. He followed the use case as i described, tried to access a page and he got redirected to the login screen with URL containing a goto for the originally requested URL.

So, he had the login page open...


He then manually edited the goto of the url in the browser


OpenAM authenticated him as expected and then redirected him to the this case His point is this is a vulnerability as a hacker could use this to redirect users to a malicious site and so on.

He said we should only allow users be redirected to resources in our trusted domain....hence my series of badly explained questions!
LVL 78

Expert Comment

ID: 39171718
Instead of trying to deal with this on the apache request side, look at whether OpenAM includes a restriction feature that would verify the parameter in the goto assignment.

I am puzzled at what vulnerability the security auditor sees.

An employee goes to the fleet manager to obtain keys for travel. All vehicles equipped with GPS.
OpenAM is the fleet manager. Once the person's credentials are verified keys are handed out.
There is nothing preventing the employee from driving the car to a location other than sanctioned.
In your question you are asking to alter the mechanisms in the car such that it will only work while the person is going to the sanctioned location.

My suggestion, is make sure that prior to handing over the keys OpenAM, checks whether the destination the user is planning on going is sanctioned.

Author Comment

ID: 39177838
Thanks again, openam does have a server side setting for this but we don't use its "vanilla" installation, and for some unknown reason it won't work with our setup.

Hence, I'm trying to achieve this at Apache once redirect is issued...
LVL 78

Expert Comment

ID: 39177873
The redirect filtering would add unnecessary overhead to the server.  The other issue is what is the consequence of someone manually modifying and submitting a url?

Are you using apache as an internal proxy?

The user must still authenticate into openAM?

I am at a loss of what the consequence of this modification is that your security person sees as an issue.

It is one thing that if a modification such as you outline would grant a person access to a resource they do not or can not access.

Author Comment

ID: 39179725

Apache is used as a revers proxy and host page for a suite of business tools and yes OpenAm would have to authenticate the user before this could happen..

 One example the security said is that someone (not the current user) could :

a)mock your main gui page and have users interact  with that when they think they have been redirected to a genuine pages
b) use it to get users to downlaoad virus/.exe files and so on

His main point is that  they think they are on business site A, they are actually somewhere else in the world and this exposes the business.
LVL 78

Accepted Solution

arnold earned 500 total points
ID: 39179855
This is not a security that is impacted by the rewriteable URL internally and you can not address that either with the rules you are considering.

Check the options you have within OpenAM to see whether the goto directive can be configured as a POST data rather than a get method (URL encoded that you currently have)

A reverse proxy only allows a specific URL IN.
You could try configuring the reverse proxy filter but as I said, I think the overhead to deal with this outside the OpenAM might be a waste.  Look through the logs of your reverse proxy to see whether you have ever seen a request that redirects to an external URL.

The other question for security is how do the user get to the URL in the first place.  
For an external source to divert they have to get the user to hit a link the user normally would not i.e. a notification by email, etc.

Author Closing Comment

ID: 39246016
Thanks for taking the time to help

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
I'm a Human captcha checkbox 13 39
Send email using HTML and PHP in separate file 5 36
Validating number not work with decimal 4 23
Check input text, Number 6 26
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question