Forum Discussion
NimbostratusRestrict Access via HTTP referer
I'm attempting to restrict access to an application via HTTP REFERER. Using the example given by the dev team, I'm using something that looks like this:
when HTTP_REQUEST {
switch -glob [HTTP::header "Referer"] {
"https://SUB.DOMAIN.COM/*" {
Allow Request to go through...
}
"" {
HTTP::respond 200 content ""
}
default {
HTTP::redirect [HTTP::header "Referer"]
}
}
}
Unfortunately this isn't behaving as it should, and I'm not getting anything too helpful from the logs. Can you see anything glaringly wrong with this?
13 Replies
insomniak_11745This is becoming very complex to think about. The application that is housed within the Virtual Server in question is Etherpad. The Etherpad Virtual Server IP is being linked to directly from within the user's custom application. Therefore:
- The Etherpad installation is being accessed not directly from the application, but from the end-user's public IP address (otherwise we'd just restrict via internal IP)
- Traditional session-based restriction will not work because if a user accesses the Etherpad once from withing the custom application, they can then use the same session to access it directly in the future.
The user ALWAYS needs to click the link to the Etherpad installation from WITHIN the custom application.
I'm thinking that some sort of shared token "handshake" needs to happen between applications.
- Kevin_Stewart
Employee
I'm thinking that some sort of shared token "handshake" needs to happen between applications.
That's potentially a good idea. Have you had a chance to look at the application layer traffic between the client and app/VIP?
