Splitting access by WebServer port
Recently, I needed to run WebGateway on an additional port but with a twist - this port should publish only one web application.
At first, I thought about configuring Web Gateway to allow only specific web applications (~urls), but Web Gateway configuration is per Apache configuration:
LoadModule csp_module_sa "/opt/webgateway/bin/CSPa24.so"
CSPModulePath "/opt/webgateway/bin/"
CSPConfigPath "/opt/webgateway/bin/"And while LoadModule has two allowed contexts, server config and virtual host, the csp module must be loaded once in the server context.
But we can use two VirtualHosts and here's how:
CSPModulePath /iris/csp/bin/
CSPConfigPath /iris/csp/bin/
LoadModule csp_module_sa /iris/csp/bin/CSPa24.so
Listen 443
Listen 10443
<VirtualHost *:443>
<Location />
CSP On
</Location>
</VirtualHost>
<VirtualHost *:10443>
<Location /myapp/>
CSP On
</Location>
</VirtualHost>Full httpd.conf
ServerRoot "/iris/httpd"
DocumentRoot "/iris/csp"
CSPModulePath /iris/csp/bin/
CSPConfigPath /iris/csp/bin/
LoadModule csp_module_sa /iris/csp/bin/CSPa24.so
User irisusr
Group irisusr
ServerName localhost
PidFile /iris/httpd/logs/httpd.pid
TraceEnable off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 120
UseCanonicalName Off
<Directory />
Options MultiViews FollowSymLinks
AllowOverride None
Require all granted
<FilesMatch "\.(log|ini|pid|exe|so)$">
Require all denied
</FilesMatch>
</Directory>
TypesConfig conf/mime.types
HostnameLookups Off
ErrorLog /iris/httpd/logs/error.log
LogLevel error
LogFormat "%h %l %u %t \"%r\" %>s %b" common
StartServers 5
MinSpareThreads 2
MaxSpareThreads 20
ServerLimit 256
ServerTokens Prod
Include conf/httpd-doc.conf
Include conf/httpd-local.conf
Listen 443
Listen 10443
<VirtualHost *:443>
# We need a servername, it has not effect but is required by apache
ServerName mysecureinstance
# Turn on SSL for this Virtual Host
SSLEngine on
SSLCertificateFile "/etc/certs/apache.crt"
SSLCertificateKeyFile "/etc/certs/apache.key"
<Location />
CSP On
</Location>
</VirtualHost>
<VirtualHost *:10443>
# We need a servername, it has not effect but is required by apache
ServerName mysecureinstance
# Turn on SSL for this Virtual Host
SSLEngine on
SSLCertificateFile "/etc/certs/apache.crt"
SSLCertificateKeyFile "/etc/certs/apache.key"
<Location /myapp/>
CSP On
</Location>
</VirtualHost>
Virtual Hosts use the same WebGateway and the same CSP Config, but only /myapp/ urls are available on port 10443. Anything else gets 404 from Apache.
Comments
@Eduard Lebedyuk - thank you VERY MUCH for taking the time to share this learning withe Community :)
Hi @Eduard Lebedyuk , I was testing various options for configuring Apache (RHEL in my case), so I read the documentation (unbelievable, isn't it? 😂) and performed a number of tests, the I found this article in the community and....I was kind of surprised because you suggest using CSP On/Off within a <VirtualHost> directive block.
I was surprised because the I excluded using <VirtualHost> directive block since the documentation suggests not using it (emphasis mine):
Note:
Although the Web Gateway supports the use of virtual host names in application access profiles, issuing Apache configuration directives to invoke the Web Gateway (that is, CSPFileTypes and CSP On/Off) within a <VirtualHost> directive block is not supported and will yield an error. In other words, you cannot enable the Web Gateway for the desired Virtual Hosts alone; you must enable the Web Gateway within the web server’s global configuration.
My my first thought was, well, this is a case where the documentation is wrong, sometimes it has happened.
At that point I was puzzled, so I tried using <VirtualHost> and, to my surprise, it worked!
Then I tried to validate my Apache config using "apachectl configtest" and:
[root@localhost conf]# apachectl configtest
[Sat Dec 21 17:22:39.632408 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
[Sat Dec 21 17:22:39.632471 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
[Sat Dec 21 17:22:39.632480 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
Syntax OK
Not only is documented that using CSP On/Off within a <VirtualHost>, there is also some code implemented in CSPa24.so IRIS module to check for this and provide a warning message that says this is not supported.
Personally I'll avoid using CSP On/Off within a <VirtualHost> (at least) in production systems, unless some more info is found on this.
Hello, @Enrico Parisi!CSP On in Virtual Hosts is not supported by Web Gateway means that Web Gateway does no request disambiguation based on a Virtual Host and will process any request passed by Apache.
However, Apache does Virtual Hosts request validation and won't pass a request to a Web Gateway if there's no corresponding CSP On directive.