0

I need to restrict a particular Query String pattern which has a URL as below

https://beta-portal.example.com/public/wp-login.php?redirect_to=http://demo.testfire.net

I need to restrict the redirect_to value to https://*.example.com if any other URL's are passed in redirect_to it should send a 403 forbidden error.

I tried something like below his but it is not working as expected. It always sends to 403 forbidden error.

   RewriteCond     %{QUERY_STRING} !.*redirect_to=*.example.com.* [NC]

   RewriteRule "" "-" [F]

Can you please help me with the right syntax to implement the above negate rule.

Thanks in Advance.

Karthik
  • 3
  • 2

1 Answers1

0
RewriteEngine On
RewriteCond %{QUERY_STRING} ^redirect_to [NC]
RewriteCond %{QUERY_STRING} !^redirect_to=https://.+\.example\.com$ [NC]
RewriteRule "" "-" [F]

Allow access to requests with query string (and without query string)

?foo=bar
?redirect_to=https://foo.example.com
?redirect_to=https://BAR.example.com

Forbid access to requests with query string

?redirect_to
?redirect_to=
?redirect_to=abc
?redirect_to=https://example.com
?redirect_to=https://.example.com

If you remove the first RewriteCond, then ONLY requests with query string redirect_to=https://*.example.com are allowed. Requests with any other query string or without query string are forbidden.

Freddy
  • 2,039
  • 7
  • 13
  • Thank you very much the above solution works like a charm. – Karthik Jan 30 '19 at 05:13
  • Freddy Apologize to reach you once again. Actually, the first condition is getting is satisfied as per the above input you provided but my second condition is to allow *.example.com to any particular location for eg https://foo.example.com/public for this scenario it throws me an error 403 saying the Redirect is not valid as per the Query String value. How can I handle this situation? – Karthik Jan 31 '19 at 06:17
  • Ah, now I understand. That part was correct! Use `!^redirect_to=https://.+\.example\.com.*$ [NC]` (matches any character after "example.com"). – Freddy Jan 31 '19 at 07:22
  • I tried that but still i am facing the same issue. The URL is passing like this in browser https://apac.beta-portal.example.com/public/wp-login.php?redirect_to=https%3A%2F%2Fenv3-wordpress.acp.aws.example.com%2Fpublic%2F&reauth=1 – Karthik Jan 31 '19 at 09:40
  • https://apac.beta-portal.example.com/public/wp-login.php?redirect_to=https%3A%2F%2Fenv3-wordpress.acp.aws.example.com%2Fpublic%2F&reauth=1 – Karthik Jan 31 '19 at 13:52
  • Freddy thank you for the help provided so far. I just need a clarification suppose the URL is passed in an encoded format how this can be handled in apache queryString conditions for eg redirect_to = https%3A%2F%2Fexample.com%2Fpublic – Karthik Feb 03 '19 at 02:40