[TriLUG] Working with headers in apache

Josh Vickery josh at vickeryj.com
Fri Nov 7 07:51:12 EST 2008


Yikes, mod_rewrite is a bit out of my realm of expertise, but I'm sure
that someone on this list will probably be able to provide you with a
working set of rules.

This is what I found in the apache mod_rewrite docs
(http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html)

First off, you can get at any http header in a rewritecond rule using
the syntax: %{HTTP:header}
(http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritecond)

so RewriteConds can be set to match against the value of the headers

RewriteCond %{HTTP:userType} ^S$
RewriteCond %{HTTP:sourceIP} !^10\.0\.0\.0\.

and then send the matching requests elsewhere

RewriteRule (.*) http://SteveHoffman.com/custom_error.html

I came up with the above logic by looking at the rewrite intro
(http://httpd.apache.org/docs/2.2/rewrite/rewrite_intro.html) and
examples page (http://httpd.apache.org/docs/2.2/rewrite/rewrite_guide.html).

I hope the above either gets you on the right track or someone with
more mod_rewrite experience pipes up with a working solution.

Josh



On Thu, Nov 6, 2008 at 9:56 PM, Steve Hoffman <srhoffman at gmail.com> wrote:
> Hello all,
> I have a question that hopefully someone here can help with...a web user is
> redirected from a third party site with a few headers set by that third
> party, the most important of which is userType.  what I would like to do is
> (with apache working as a reverse proxy) inspect the headers as they pass
> through and if userType=S && sourceIP!=10.0.0.0/24 throw a custom error
> page.
>
> Essentially we have an application that is front ended by an apache server
> working as reverse proxy.  Your privilege in the application is pulled form
> the database on the back end, but the userType flag from the third party
> could be used for us to catch employees trying to access the application
> with their userId from off our network.
>
> I know the smart move would have been for the apps folks to take care of
> that in the application...but they didn't so I've been asked to resolve this
> at our proxies...which I initially thought was possible...even if not
> efficient but after googling for several hours I'm not so confident
> anymore.  Does anyone know if this is possible and can you point me
> somewhere to start looking?
>
> Thanks,
> Steve
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions
>



More information about the TriLUG mailing list