{"id":2716,"date":"2017-02-05T13:20:35","date_gmt":"2017-02-05T12:20:35","guid":{"rendered":"https:\/\/kudzia.eu\/b\/?p=2716"},"modified":"2017-02-05T13:21:13","modified_gmt":"2017-02-05T12:21:13","slug":"simplistic-gatekeeper-limiting-access-to-apache2-based-proxy","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2017\/02\/simplistic-gatekeeper-limiting-access-to-apache2-based-proxy\/","title":{"rendered":"simplistic gatekeeper limiting access to apache2-based proxy"},"content":{"rendered":"

i had to expose some web-based application hosted on a windows server to the internet. i don’t put too much trust in the developers of that particular application so i did not want to make it reachable from the public internet. while i could not use ip address based whitelist i could count on the end-user of the application to do a simple routine at the beginning of her\/his work: visit another page and only then try to access the actual web-app. security through obscurity? perhaps, but for me it that’s one more layer of protection.
\n<\/p>\n

i’ve found out that i don’t need to dynamically rewrite apache2 config and add\/remove ip addresses that are allowed to access the protected resource. this<\/a> stackoverflow answer suggested that mod rewrite’s RewriteMap<\/a> can be a solution. so here’s my solution:<\/p>\n

apache2 vhost:<\/p>\n

\r\n<VirtualHost *:443>\r\n DocumentRoot \/var\/www\/\r\n ServerName some.host.com\r\n ProxyPass \/ProtectedResource http:\/\/10.0.0.5\/ProtectedResource\r\n ProxyPassReverse \/ProtectedResource http:\/\/10.0.0.5\/ProtectedResource\r\n \r\n RewriteEngine On\r\n RewriteMap ipslist txt:\/var\/www\/gatekeeper\/list.txt\r\n <Location \/ProtectedResource>\r\n  AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text\/html text\/plain text\/xml\r\n  Substitute "s|http:\/\/10.0.0.5|https:\/\/some.host.com|i"\r\n  \r\n  RewriteCond %{REMOTE_ADDR} ^(.*)$\r\n  RewriteCond ${ipslist:%1|black} ^black$ [NC]\r\n  RewriteRule ^ - [F]\r\n <\/Location>\r\n \r\n # ssl related stuff + logging  \r\n<\/Virtualhost>\r\n<\/pre>\n
did you see what i did there? not just allowed reverse-proxying of request arriving to \/ProtectedResource to an internal Windows-based 10.0.0.5 but also protecting access to it via https and re-writing on the fly references in html\/xml to http:\/\/10.0.0.5 into https:\/\/ssl.host.com ; access to the \/ProtectedResource is only possible for hosts that are listed in the text file \/var\/www\/gatekeeper\/list.txt<\/p>\n
that file is updated by two scripts:<\/p>\n
\/var\/www\/gatekeeper\/index.php – invoked by the user at the beginning of the working day by visiting https:\/\/some.host.com\/gatekeeper\/:<\/p>\n
\r\n<?php\r\n $ip = $_SERVER['REMOTE_ADDR'];\r\n $x=file_get_contents('list.txt');\r\n file_put_contents('list.txt',$x."\\n".$ip.' '.time());\r\n echo "hi $ip";\r\n<\/pre>\n
and \/var\/www\/gatekeeper\/cron.php – invoked from cron by visiting https:\/\/some.host.com\/gatekeeper\/cron.php – it’s responsible for clean-up of the stale entries older than few hours:<\/p>\n
\r\n<?php\r\n $res = "";\r\n foreach(explode("\\n",file_get_contents('list.txt')) as $row){\r\n  $row = explode(' ',$row);\r\n   if (sizeof($row)!=2)continue;\r\n   if ($row[1]<time()-3600*8)continue;\r\n   $res.=$row[0]." ".$row[1]."\\n";\r\n }\r\n file_put_contents('list.txt',$res);\r\n<\/pre>\n
there’s a risk of race conditions when during the execution of cron someone visits the gatekeeper page. in my case – where number of users is very small, i’m comfortable with it.<\/p>\n","protected":false},"excerpt":{"rendered":"
i had to expose some web-based application hosted on a windows server to the internet. i don’t put too much trust in the developers of that particular application so i did not want to make it reachable from the public internet. while i could not use ip address based whitelist i could count on the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[98],"class_list":["post-2716","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-poor-mans-security"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=2716"}],"version-history":[{"count":2,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2716\/revisions"}],"predecessor-version":[{"id":2718,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/2716\/revisions\/2718"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=2716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=2716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=2716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}