How can I restrict access to an application that I do not control only via another referrer application?

StackOverflow https://stackoverflow.com/questions/20993728

Pergunta

Our client has a set of (5-6) intranet/internet applications either custom developed or 3d-party, located in various web servers, which applications we cannot modify/control.

We have developed a web portal application (A) and the client wants that all its other applications (B) are accessed only via A, meaning that if a user enters directly the application url for B, he gets an error page telling that access is allowed only via A. So, user has to log in to application A and then click a link to application B to access it. This requirement has been asked for security reasons and to make A act as an access gateway to other applications (B).

Is this possible and how can we implement it? Should we use another web server on the top acting as a proxy to all other applications (B) or is there a better solution for this? And if we use another web server as a proxy should we implement the referrer logic with a user id - token approach combined with appropriate session cookies, so that the application B's url cannot be hacked and is unique for each user and session?

Sorry if I stated my questions unclearly or in a wrong way, but I'm unfamiliar with network/system administration and web servers. I can provide more details where needed.

Foi útil?

Solução

there are different approaches here:
1. using firewall setup access to B http{s} port only from A IP address.
2. set Directory restriction in httpd.conf for aps B directory like:

<Directory "/var/www/B">
   AllowOverride None
   Order allow,deny
   Allow from <IP of A>
</Directory>

in APS A create link (http://ip_A/accesstoB/somepath/script.php) that will Proxied to B using .htaccess rule like:

RewriteRule ^accesstoB/(.*)$ http://<ip_B>/$1 [P]

in this example: customer accessing http://ip_A/accesstoB/somepath/script.php link will be proxied to http://ip_B/somepath/script.php

Outras dicas

  1. You begin with restricting access to B Applications by using web server conf files or with firewall restrictions based on ip.
  2. Then you redirect all these requests to new wrapper app you will develop.
  3. With this wrapper app you do whatever authentication you like, then your wrapper app does the http/https request(via libcurl or etc.) and echoes the response.
Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top