Splitting access by WebServer port

Article

Eduard Lebedyuk · Feb 7, 2024 2m read

Recently, I needed to run WebGateway on an additional port but with a twist - this port should publish only one web application.
At first, I thought about configuring Web Gateway to allow only specific web applications (~urls), but Web Gateway configuration is per Apache configuration:

LoadModule csp_module_sa "/opt/webgateway/bin/CSPa24.so"
CSPModulePath "/opt/webgateway/bin/"
CSPConfigPath "/opt/webgateway/bin/"ObjectScript
ObjectScript

And while LoadModule has two allowed contexts, server config and virtual host, the csp module must be loaded once in the server context.

But we can use two VirtualHosts and here's how:

CSPModulePath /iris/csp/bin/
CSPConfigPath /iris/csp/bin/
LoadModule csp_module_sa /iris/csp/bin/CSPa24.so

Listen 443
Listen 10443
<VirtualHost *:443>
  <Location />
    CSP On
  </Location>
</VirtualHost>

<VirtualHost *:10443>
  <Location /myapp/>
    CSP On
  </Location>
</VirtualHost>ObjectScript
ObjectScript

Full httpd.conf

ServerRoot "/iris/httpd"
DocumentRoot "/iris/csp"
CSPModulePath /iris/csp/bin/
CSPConfigPath /iris/csp/bin/
LoadModule csp_module_sa /iris/csp/bin/CSPa24.so
User irisusr
Group irisusr

ServerName localhost
PidFile /iris/httpd/logs/httpd.pid
TraceEnable off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 120
UseCanonicalName Off

<Directory />
Options MultiViews FollowSymLinks
AllowOverride None
Require all granted
<FilesMatch "\.(log|ini|pid|exe|so)$">
Require all denied
</FilesMatch>
</Directory>

TypesConfig conf/mime.types
HostnameLookups Off

ErrorLog /iris/httpd/logs/error.log
LogLevel error
LogFormat "%h %l %u %t \"%r\" %>s %b" common

StartServers 5
MinSpareThreads 2
MaxSpareThreads 20
ServerLimit 256
ServerTokens Prod

Include conf/httpd-doc.conf
Include conf/httpd-local.conf
Listen 443
Listen 10443

<VirtualHost *:443>

# We need a servername, it has not effect but is required by apache
ServerName mysecureinstance

# Turn on SSL for this Virtual Host
SSLEngine on
SSLCertificateFile "/etc/certs/apache.crt"
SSLCertificateKeyFile "/etc/certs/apache.key"
<Location />
CSP On
</Location>
</VirtualHost>
<VirtualHost *:10443>

# We need a servername, it has not effect but is required by apache
ServerName mysecureinstance

# Turn on SSL for this Virtual Host
SSLEngine on
SSLCertificateFile "/etc/certs/apache.crt"
SSLCertificateKeyFile "/etc/certs/apache.key"
<Location /myapp/>
CSP On
</Location>
</VirtualHost>ObjectScript
ObjectScript

Virtual Hosts use the same WebGateway and the same CSP Config, but only /myapp/ urls are available on port 10443. Anything else gets 404 from Apache.

[root@localhost conf]# apachectl configtest [Sat Dec 21 17:22:39.632408 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level [Sat Dec 21 17:22:39.632471 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level [Sat Dec 21 17:22:39.632480 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level Syntax OK

Shell Session

Ben Spead · Feb 7, 2024

@Eduard Lebedyuk - thank you VERY MUCH for taking the time to share this learning withe Community :)

2 0

Enrico Parisi · Dec 21, 2024

Hi @Eduard Lebedyuk , I was testing various options for configuring Apache (RHEL in my case), so I read the documentation (unbelievable, isn't it? 😂) and performed a number of tests, the I found this article in the community and....I was kind of surprised because you suggest using CSP On/Off within a <VirtualHost> directive block.

I was surprised because the I excluded using <VirtualHost> directive block since the documentation suggests not using it (emphasis mine):

Note:

Although the Web Gateway supports the use of virtual host names in application access profiles, issuing Apache configuration directives to invoke the Web Gateway (that is, CSPFileTypes and CSP On/Off) within a <VirtualHost> directive block is not supported and will yield an error. In other words, you cannot enable the Web Gateway for the desired Virtual Hosts alone; you must enable the Web Gateway within the web server’s global configuration.

My my first thought was, well, this is a case where the documentation is wrong, sometimes it has happened.

At that point I was puzzled, so I tried using <VirtualHost> and, to my surprise, it worked!

Then I tried to validate my Apache config using "apachectl configtest" and:

[root@localhost conf]# apachectl configtest
[Sat Dec 21 17:22:39.632408 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
[Sat Dec 21 17:22:39.632471 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
[Sat Dec 21 17:22:39.632480 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
Syntax OK
Shell Session
Shell Session

Not only is documented that using CSP On/Off within a <VirtualHost>, there is also some code implemented in CSPa24.so IRIS module to check for this and provide a warning message that says this is not supported.

Personally I'll avoid using CSP On/Off within a <VirtualHost> (at least) in production systems, unless some more info is found on this.

1 0

Eduard Lebedyuk Dec 22, 2024 to Enrico Parisi

Hello, @Enrico Parisi!
CSP On in Virtual Hosts is not supported by Web Gateway means that Web Gateway does no request disambiguation based on a Virtual Host and will process any request passed by Apache.

However, Apache does Virtual Hosts request validation and won't pass a request to a Web Gateway if there's no corresponding CSP On directive.

0 0