On Fri, Oct 11, 2013 at 3:58 PM, Philippe Marcoussis
<philippe.marcous...@gmail.com> wrote:
> Hello,
>
> I am facing a problem, and i don't known how to solve it.
>
> I have two web sites working and available on the internet :
> - applications.example.com
> - secure.example.com
>
> I would like :
> 1) to allow FULL access FROM applications.example.com TO secure.example.com
> ( without any authentication)
I presume from the subject what you mean here is that requests with a
referer of "applications.example.com" are allowed to access
"secure.example.com", and not that requests that are from the host
"applications.example.com" are allowed on the host
"secure.example.com".
>
> AND
>
> 2) to allow access FROM Internet TO secure.example.com only with LDAP
> Authentification.
> PS: I know how to configure ldap authentication, that is not the matter
>
> What apache directive should I use ? mod_rewrite ? http_referer ?
In 2.2/2.4, something like this might work (untested):
RewriteCond %{HTTP_REFERER} ^applications.example.com$
RewriteRule .* - [E=valid_referer:1]
SetEnvIf Referer applications\.example\.com valid_referer=1
<Location />
Deny from all
Allow from env=valid_referer
AuthType basic
AuthBasicProvider ldap
AuthLDAPURL ....
Require valid-user
Satisfy any
</Location>
The tricky bit is getting the referer check in to the standard AAA, so
that it can be combined with "Satisfy any".
BTW, even if this does work, it is not a good idea. Referer is not a
required HTTP field, browsers often do not send it to requests made
from a different domain (eg this scenario) if configured "securely",
and since it is unauthenticated information submitted by the user, can
be easily circumvented if the user so desires.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
