Solved

Restrict 'goto' Domain - Apache

Posted on 2013-05-14
12
496 Views
Last Modified: 2013-06-13
I would like to configure Apache (2.2)to restrict what domains users can access e.g. if apache FQDN is myapache.myfunnydomain.com then apache will only allow requests to resources in .myfunnydomain.com (or whatever domain I configure as legal) and refuse all other requests (redirect to error page)

I use a third party product to enforce user log in, session mgt. etc. If a user tries to access a resource and they have no session the third party product will intercept, and redirect them to a login page. It will construct a URL for the login page with a 'goto'  directing the user to the originally requested resource once the thrid party product has authenticated the user.

I would like to implement this on apache because:

1) It limits our dependence on the third party product
2) Attempts to configure the thrid party product to restrict 'goto' domains have proven unsuccessful
0
Comment
Question by:WalterRR
  • 6
  • 6
12 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39166943
Not clear what you are looking for.

Use PHP, or a content management system joomla, Wordpress, alfresco etc.
Those can have user authentication builtin.
0
 

Author Comment

by:WalterRR
ID: 39167368
Hi,

Thanks for the reply. I have authentication already. What I want to do is restrict what domains Apache can send users to..

For ex. If a user tries to access "pageA.mydomain.com" with no session the auth system will intercept and redirect to login page with a
 URL www.mypage/login/?goto=http://pageA.mydomain.com

Open in new window

thus using the 'goto' to send them back to their originally requested page once authenticated.

To prevent hacking etc I want apache to restrict what domains the user can be sent to i.e. if some edits the goto to send them to your.malicious.domain.com apache will not allow this request.
0
 
LVL 76

Expert Comment

by:arnold
ID: 39168033
The Login app/script is the only way to restrict it.
Alternatively, you could use mod_redirect, mod_rewrite to match a pattern for requests requiring your domains. But note there is a resource cost.

What is the source that creates these URLs?
0
 

Author Comment

by:WalterRR
ID: 39170798
Hi Arnold,

yes..i was thinking thinking that mod_rewrite might be the way to go but I am an apache novice. I have never used mod_redirect.

the source that creates the URL is OpenAM. It sits as a parallel system and redirects the user to the original resource via a goto in the URL once it verifies the username/pw.

So basically,
for mod_rewrite

what ever is in the base URL of the goto part of the URL maybe i need to always rewrite this to my allowed domain?

for mod_redirect?
how would this work?

something like redirect to error page unless base URL = allowed base URL?

Thanks
0
 
LVL 76

Expert Comment

by:arnold
ID: 39170952
I am still unclear, but the rewrite rule will require that goto=http://(www.yourdomain.com)/(.*)
If it des not match, that is when rule kicks in.

Where are you foreseeing that the request with goto= anything else?
That is what I am unclear about.
0
 

Author Comment

by:WalterRR
ID: 39170986
We had a security audit...and the security audit guy said that an unrestricted 'goto' is a vulnerability. He followed the use case as i described, tried to access a page and he got redirected to the login screen with URL containing a goto for the originally requested URL.

So, he had the login page open...

www.mypage/login/?goto=http://pageA.mydomain.com

He then manually edited the goto of the url in the browser

www.mypage/login/?goto=http://google.com


OpenAM authenticated him as expected and then redirected him to the goto...in this case www.google.com. His point is this is a vulnerability as a hacker could use this to redirect users to a malicious site and so on.

He said we should only allow users be redirected to resources in our trusted domain....hence my series of badly explained questions!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 76

Expert Comment

by:arnold
ID: 39171718
Instead of trying to deal with this on the apache request side, look at whether OpenAM includes a restriction feature that would verify the parameter in the goto assignment.

I am puzzled at what vulnerability the security auditor sees.

An employee goes to the fleet manager to obtain keys for travel. All vehicles equipped with GPS.
OpenAM is the fleet manager. Once the person's credentials are verified keys are handed out.
There is nothing preventing the employee from driving the car to a location other than sanctioned.
In your question you are asking to alter the mechanisms in the car such that it will only work while the person is going to the sanctioned location.

My suggestion, is make sure that prior to handing over the keys OpenAM, checks whether the destination the user is planning on going is sanctioned.
0
 

Author Comment

by:WalterRR
ID: 39177838
Thanks again, openam does have a server side setting for this but we don't use its "vanilla" installation, and for some unknown reason it won't work with our setup.

Hence, I'm trying to achieve this at Apache once redirect is issued...
0
 
LVL 76

Expert Comment

by:arnold
ID: 39177873
The redirect filtering would add unnecessary overhead to the server.  The other issue is what is the consequence of someone manually modifying and submitting a url?


Are you using apache as an internal proxy?

The user must still authenticate into openAM?

I am at a loss of what the consequence of this modification is that your security person sees as an issue.

It is one thing that if a modification such as you outline would grant a person access to a resource they do not or can not access.
0
 

Author Comment

by:WalterRR
ID: 39179725
Hi..

Apache is used as a revers proxy and host page for a suite of business tools and yes OpenAm would have to authenticate the user before this could happen..

 One example the security said is that someone (not the current user) could :

a)mock your main gui page and have users interact  with that when they think they have been redirected to a genuine pages
b) use it to get users to downlaoad virus/.exe files and so on

His main point is that  they think they are on business site A, they are actually somewhere else in the world and this exposes the business.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 39179855
This is not a security that is impacted by the rewriteable URL internally and you can not address that either with the rules you are considering.

Check the options you have within OpenAM to see whether the goto directive can be configured as a POST data rather than a get method (URL encoded that you currently have)

A reverse proxy only allows a specific URL IN.
You could try configuring the reverse proxy filter but as I said, I think the overhead to deal with this outside the OpenAM might be a waste.  Look through the logs of your reverse proxy to see whether you have ever seen a request that redirects to an external URL.

The other question for security is how do the user get to the URL in the first place.  
For an external source to divert they have to get the user to hit a link the user normally would not i.e. a notification by email, etc.
0
 

Author Closing Comment

by:WalterRR
ID: 39246016
Thanks for taking the time to help
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
In this tutorial viewers will learn how to style a corner ribbon overlay for an image using CSS Create a new class by typing ".Ribbon":  Define the class' "display:" as "inline-block": Define its "position:" as "relative": Define its "overflow:" as …
In this tutorial viewers will learn how to embed Flash content in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <object> tag to embed Flash content.: To specify that the object is Flash content, d…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now