apache config proxy security

List of URLs to block

Question

What is the list of URL that might be blocked from the proxy to avoid users to access them?

Answer

URL Description
/start login page
/jahia/* technical urls with Jahia 8
/cms/login login page
/cms/admin/* administration
/welcome/adminmode administration
/cms/edit/* edit mode
/cms/contribute/* contribute mode
/cms/studio/* studio mode
/tools/* admin tools for debugging (secured with basic HTTP authentication)
/modules/tools admin tools for debugging (secured with basic HTTP authentication)
/repository/* Webdav access to the repository
/server/* Webdav access to the repository

Here is a very easy way to do it on an Apache HTTP Server Version 2.4 using the Apache module mod_authz_host :

# secure login/admin/contrib/edit URLs from outside our network
# allowed_ip list all authorized IPs separed by space
Define allowed_ip "192.168.1.10 192.168.1.18 10.1.123.21"
<LocationMatch "^/(start|cms\/login|cms\/admin|welcome\/adminmode|cms\/edit|cms\/contribute|cms\/studio|tools|modules\/tools|repository|server)">
    Require ip ${allowed_ip}
</LocationMatch>

 

Starting from Jahia 8.0, you can also filter URLs starting of this kind: /jahia/*.

To do so, you can an additional directive of this kind:


<LocationMatch "^/jahia/.*">
    Require ip ${allowed_ip}
</LocationMatch>

Here is also an example with HAProxy:

acl authorized_ips req.hdr_ip(x-forwarded-for,-1) -m ip 8.8.8.8/32
acl technical_urls path_beg -i /cms /tools /modules /administration /start /jahia
http-request deny if technical_urls !authorized_ips