0

I store a single cookie in a file and want to retrict access to users who have that specific cookie set (with a specified name) and redirect others (from any page in the site) to my site's root. Since, my site uses a node backend to authenticate users (i.e., to verify a password) I also want to exempt it's proxypass page ("/authenticate") and any "sub-pages" proceeding it.

A problem I've had with these sort of "whitelists" is that they generally don't encompass the whole site (including subdomains) and don't work for directories which are being indexed.

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/site.com.pem
    SSLCertificateKeyFile /etc/apache2/ssl/site.com.key
</VirtualHost>

<VirtualHost *:443> 
    ServerName site.com
    DocumentRoot /var/www/site.com/html

    <Directory /var/www/site.com/html/files>
        Options +Indexes
       AllowOverride All
    </Directory>

    ProxyRequests Off
    ProxyPass /authorise http://localhost:3001
    ProxyPassReverse /authorise http://localhost:3001
</VirtualHost>

<VirtualHost *:443>
    ServerName movie.site.com
    ProxyRequests Off
    ProxyPass / http://localhost:3000/
    ProxyPassReverse / http://localhost:3000/
</VirtualHost>

<VirtualHost *:443>
  ServerName mail.site.com
  DocumentRoot /var/www/site.com/roundcube

  ErrorLog ${APACHE_LOG_DIR}/roundcube-error.log
  CustomLog ${APACHE_LOG_DIR}/roundcube-access.log combined

  <Directory /var/www/roundcube>
      Options -Indexes
      AllowOverride All
      Order allow,deny
      allow from all
  </Directory>
</VirtualHost>

Edit: Just to clarify, I know I can do something like the following to achieve what I'm after (to some extent):

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !MYCOOKIE
RewriteRule ^/myhome/content/ - [F]

But how do I ensure this has an effect on every VirtualHost (i.e., on every subdomain) and also read the single cookie from the file so that I am able to alter it without having to restart apache.

Thank you!

Qubarf
  • 1
  • 1
  • "I store a single cookie **in a file**" - What do you mean "in a file"? What have you tried? "and don't work for directories which are being indexed" - there's no reason why that would be the case, unless you are referring to the search engines "cache" (before the restriction was implemented)? Search engines wouldn't be able to access the content in the first place if it is restricted with a cookie. But doesn't your authentication (`/authenticate` or `/authorise`?) already restrict access? – MrWhite Oct 06 '21 at 08:01
  • "Doesn't your authentication already restrict access?" - I'm confused; was this meant to prompt a clarification on my part of how the backend worked since obviously, it doesn't (and can't) restrict access since the site is served by apache, it just sets the appropriate cookie in the client's browser if supplied with the correct password. By a "file", I mean "I store the single cookie" read by my node backend to set in the client's browser in a file on the server. I have tried [this](https://stackoverflow.com/questions/19932311/apache-dynamic-whitelist). – Qubarf Oct 06 '21 at 08:29
  • "...and any "sub-pages" proceeding it." - What do mean by "sub-pages"? – MrWhite Oct 06 '21 at 09:07
  • [Um](https://en.wikipedia.org/wiki/Subpage) But that's a very minor detail, it hardly matters? – Qubarf Oct 06 '21 at 09:55

0 Answers0