Login/Register
How can I restrict access to an application that I do not control only via another referrer application?
Asked Answered
Solved apachesecuritynginxwebserverhttp-referer
A

2

6

Our client has a set of (5-6) intranet/internet applications either custom developed or 3d-party, located in various web servers, which applications we cannot modify/control.

We have developed a web portal application (A) and the client wants that all its other applications (B) are accessed only via A, meaning that if a user enters directly the application url for B, he gets an error page telling that access is allowed only via A. So, user has to log in to application A and then click a link to application B to access it. This requirement has been asked for security reasons and to make A act as an access gateway to other applications (B).

Is this possible and how can we implement it? Should we use another web server on the top acting as a proxy to all other applications (B) or is there a better solution for this? And if we use another web server as a proxy should we implement the referrer logic with a user id - token approach combined with appropriate session cookies, so that the application B's url cannot be hacked and is unique for each user and session?

Sorry if I stated my questions unclearly or in a wrong way, but I'm unfamiliar with network/system administration and web servers. I can provide more details where needed.

Apoplectic answered 8/1, 2014 at 11:2 Comment(2)
You say you cannot modify the other applications (B), so how will they know to refuse connections when not connected through the portal?Ceporah
That's why I was thinking of a top level web server acting as a proxy (extra security level / filter) to applications (B), if this is somehow doable of course. Hosting of the applications is done by our client thought, so it will be possible to be controlled by us too.Apoplectic
I
2

there are different approaches here:
1. using firewall setup access to B http{s} port only from A IP address.
2. set Directory restriction in httpd.conf for aps B directory like:

<Directory "/var/www/B">
   AllowOverride None
   Order allow,deny
   Allow from <IP of A>
</Directory>

in APS A create link (http://ip_A/accesstoB/somepath/script.php) that will Proxied to B using .htaccess rule like:

RewriteRule ^accesstoB/(.*)$ http://<ip_B>/$1 [P]

in this example: customer accessing http://ip_A/accesstoB/somepath/script.php link will be proxied to http://ip_B/somepath/script.php

Influent answered 10/1, 2014 at 22:25 Comment(4)
Be aware that the security of this solution is limited to the security of TCP/IP - if a user can control the contents of TCP packets received by B that appear to come from A (e.g. through ARP poisoning), then they can carry out requests without authenticating first. +1 for nice simple approach though.Grados
@Grados Thanx for the simple approach, but If I understand correctly this one is only for the first request coming from the referrer application A. What about the subsequent requests after users entering application B, that will not have IP of A?Apoplectic
just keep in URL ^accesstoB/ and it will be proxied though [A] all the time. There is no need for customers to know about [B] at all ;)Influent
@Grados OK I think this will make the trick. Although the actual requirement was to have a link to the external application (maybe the login page?) in our portal and then after user authenticated and the referrer checked, users to continue in application B normally, such as url_B/page1, url_B/page2, etcApoplectic
S
1
  1. You begin with restricting access to B Applications by using web server conf files or with firewall restrictions based on ip.
  2. Then you redirect all these requests to new wrapper app you will develop.
  3. With this wrapper app you do whatever authentication you like, then your wrapper app does the http/https request(via libcurl or etc.) and echoes the response.
Syngamy answered 10/1, 2014 at 14:0 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.