Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Restrict 'goto' Domain - Apache

Posted on 2013-05-14
Medium Priority
Last Modified: 2013-06-13
I would like to configure Apache (2.2)to restrict what domains users can access e.g. if apache FQDN is myapache.myfunnydomain.com then apache will only allow requests to resources in .myfunnydomain.com (or whatever domain I configure as legal) and refuse all other requests (redirect to error page)

I use a third party product to enforce user log in, session mgt. etc. If a user tries to access a resource and they have no session the third party product will intercept, and redirect them to a login page. It will construct a URL for the login page with a 'goto'  directing the user to the originally requested resource once the thrid party product has authenticated the user.

I would like to implement this on apache because:

1) It limits our dependence on the third party product
2) Attempts to configure the thrid party product to restrict 'goto' domains have proven unsuccessful
Question by:WalterRR
  • 6
  • 6
LVL 81

Expert Comment

ID: 39166943
Not clear what you are looking for.

Use PHP, or a content management system joomla, Wordpress, alfresco etc.
Those can have user authentication builtin.

Author Comment

ID: 39167368

Thanks for the reply. I have authentication already. What I want to do is restrict what domains Apache can send users to..

For ex. If a user tries to access "pageA.mydomain.com" with no session the auth system will intercept and redirect to login page with a
 URL www.mypage/login/?goto=http://pageA.mydomain.com

Open in new window

thus using the 'goto' to send them back to their originally requested page once authenticated.

To prevent hacking etc I want apache to restrict what domains the user can be sent to i.e. if some edits the goto to send them to your.malicious.domain.com apache will not allow this request.
LVL 81

Expert Comment

ID: 39168033
The Login app/script is the only way to restrict it.
Alternatively, you could use mod_redirect, mod_rewrite to match a pattern for requests requiring your domains. But note there is a resource cost.

What is the source that creates these URLs?

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 39170798
Hi Arnold,

yes..i was thinking thinking that mod_rewrite might be the way to go but I am an apache novice. I have never used mod_redirect.

the source that creates the URL is OpenAM. It sits as a parallel system and redirects the user to the original resource via a goto in the URL once it verifies the username/pw.

So basically,
for mod_rewrite

what ever is in the base URL of the goto part of the URL maybe i need to always rewrite this to my allowed domain?

for mod_redirect?
how would this work?

something like redirect to error page unless base URL = allowed base URL?

LVL 81

Expert Comment

ID: 39170952
I am still unclear, but the rewrite rule will require that goto=http://(www.yourdomain.com)/(.*)
If it des not match, that is when rule kicks in.

Where are you foreseeing that the request with goto= anything else?
That is what I am unclear about.

Author Comment

ID: 39170986
We had a security audit...and the security audit guy said that an unrestricted 'goto' is a vulnerability. He followed the use case as i described, tried to access a page and he got redirected to the login screen with URL containing a goto for the originally requested URL.

So, he had the login page open...


He then manually edited the goto of the url in the browser


OpenAM authenticated him as expected and then redirected him to the goto...in this case www.google.com. His point is this is a vulnerability as a hacker could use this to redirect users to a malicious site and so on.

He said we should only allow users be redirected to resources in our trusted domain....hence my series of badly explained questions!
LVL 81

Expert Comment

ID: 39171718
Instead of trying to deal with this on the apache request side, look at whether OpenAM includes a restriction feature that would verify the parameter in the goto assignment.

I am puzzled at what vulnerability the security auditor sees.

An employee goes to the fleet manager to obtain keys for travel. All vehicles equipped with GPS.
OpenAM is the fleet manager. Once the person's credentials are verified keys are handed out.
There is nothing preventing the employee from driving the car to a location other than sanctioned.
In your question you are asking to alter the mechanisms in the car such that it will only work while the person is going to the sanctioned location.

My suggestion, is make sure that prior to handing over the keys OpenAM, checks whether the destination the user is planning on going is sanctioned.

Author Comment

ID: 39177838
Thanks again, openam does have a server side setting for this but we don't use its "vanilla" installation, and for some unknown reason it won't work with our setup.

Hence, I'm trying to achieve this at Apache once redirect is issued...
LVL 81

Expert Comment

ID: 39177873
The redirect filtering would add unnecessary overhead to the server.  The other issue is what is the consequence of someone manually modifying and submitting a url?

Are you using apache as an internal proxy?

The user must still authenticate into openAM?

I am at a loss of what the consequence of this modification is that your security person sees as an issue.

It is one thing that if a modification such as you outline would grant a person access to a resource they do not or can not access.

Author Comment

ID: 39179725

Apache is used as a revers proxy and host page for a suite of business tools and yes OpenAm would have to authenticate the user before this could happen..

 One example the security said is that someone (not the current user) could :

a)mock your main gui page and have users interact  with that when they think they have been redirected to a genuine pages
b) use it to get users to downlaoad virus/.exe files and so on

His main point is that  they think they are on business site A, they are actually somewhere else in the world and this exposes the business.
LVL 81

Accepted Solution

arnold earned 1000 total points
ID: 39179855
This is not a security that is impacted by the rewriteable URL internally and you can not address that either with the rules you are considering.

Check the options you have within OpenAM to see whether the goto directive can be configured as a POST data rather than a get method (URL encoded that you currently have)

A reverse proxy only allows a specific URL IN.
You could try configuring the reverse proxy filter but as I said, I think the overhead to deal with this outside the OpenAM might be a waste.  Look through the logs of your reverse proxy to see whether you have ever seen a request that redirects to an external URL.

The other question for security is how do the user get to the URL in the first place.  
For an external source to divert they have to get the user to hit a link the user normally would not i.e. a notification by email, etc.

Author Closing Comment

ID: 39246016
Thanks for taking the time to help

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
In this tutorial viewers will learn how to style a corner ribbon overlay for an image using CSS Create a new class by typing ".Ribbon":  Define the class' "display:" as "inline-block": Define its "position:" as "relative": Define its "overflow:" as …
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question