Symantec Access Management

  • Private Community
 View Only

 Apache rewrite conflicting with unprotected URL

Jason Morriss's profile image
Jason Morriss posted Feb 02, 2022 07:10 AM
I have an Apache/2.4.6 server using mod_rewrite to rewrite all requests to a front-controller and most of the site is protected with siteminder, except for /api, which is unprotected. All protected urls work fine. The problem is, no matter how I try to access the unprotected url apache attempts to do a redirect to the siteminder authentication server. If I mock up a file so the mod_rewrite doesn't trigger it will work for the unprotected url. So, it seems something with mod_rewrite is the problem and I can't figure it out.

# htaccess (stripped down)
RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$
RewriteRule .* - [E=BASE:%1]
RewriteCond %{HTTP:Authorization} .+
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ %{ENV:BASE}/index.php [END]

# curl -I -L https://myhost/myapp/api/assets.json
HTTP/1.1 302 Found
Date: Wed, 02 Feb 2022 12:02:02 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.27
Cache-Control: no-store
Location: https://authdev.example/CertAuthV3/forms/HHSKrbPivOrFormLogin.aspx?TYPE=33554433&REALMOID=06-d38986af-9876-45ba-9967-02ff8a131b25&GUID=&SMAUTHREASON=0&METHOD=HEAD&SMAGENTNAME=-SM-2dcm9UNNLHJ2WeJCIiX5xFC0fypAIxUpbTpbLzbMoKWGn609A029m2REURZ1Bb%2fy&TARGET=-SM-https%3a%2f%myhost%2fmyapp%2findex%2ephp
Content-Type: text/html; charset=iso-8859-1

# siteminder log
[02/02/2022][07:02:02][15870][379021440][CSmHttpPlugin.cpp:703][CSmHttpPlugin::ProcessResource][000000000000000000000000654470a5-3dfe-61fa72ba-16976880-6fb964e27fc1][*1.2.3.4][][myhost][][][Resolved URL: '/myapp/api/assets.json'.]
[02/02/2022][07:02:02][15870][379021440][CSmHttpPlugin.cpp:5946][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreUrl filter.]
[02/02/2022][07:02:02][15870][379021440][CSmHttpPlugin.cpp:703][CSmHttpPlugin::ProcessResource][000000000000000000000000654470a5-3dfe-61fa72ba-16976880-70171240a6e0][*1.2.3.4][][myhost][][][Resolved URL: '/myapp/index.php'.]
[02/02/2022][07:02:02][15870][379021440][CSmLowLevelAgent.cpp:514][IsResourceProtected][000000000000000000000000654470a5-3dfe-61fa72ba-16976880-70171240a6e0][*1.2.3.4][][myhost][/myapp/index.php][][Resource is protected from Policy Server.]

# apache log
[Wed Feb 02 07:02:02.941939 2022] [rewrite:trace4] [pid 15870] mod_rewrite.c(470): [client 1.2.3.4:48860] 1.2.3.4 - - [myhost/sid#5583865438c0][rid#5583868b6720/initial] [perdir /var/www/myapp/public/] RewriteCond: input='/var/www/myapp/public/api/assets.json' pattern='!-f' => matched
[Wed Feb 02 07:02:02.941945 2022] [rewrite:trace2] [pid 15870] mod_rewrite.c(470): [client 1.2.3.4:48860] 1.2.3.4 - - [myhost/sid#5583865438c0][rid#5583868b6720/initial] [perdir /var/www/myapp/public/] rewrite 'api/assets.json' -> '/myapp/index.php'
[Wed Feb 02 07:02:02.941961 2022] [rewrite:trace1] [pid 15870] mod_rewrite.c(470): [client 165.112.68.101:48860] 165.112.68.101 - - [myhost/sid#5583865438c0][rid#5583868b6720/initial] [perdir /var/www/myapp/public/] internal redirect with /myapp/index.php [INTERNAL REDIRECT]
Peter Burant's profile image
Broadcom Employee Peter Burant posted Feb 02, 2022 11:36 AM

Hi Jason,

It looks like the rewritten URL is passing thru the web agent, and thus the web agent is intercepting the request and challenging the user.  If you want to prevent the user from being challenged in this scenario, you will need to effectively unprotect /myapp/index.php.  There are several ways you can do this (either via Realm configuration or via ACO parameter).  Bear in mind that when the web agent makes an IsProtected call to the policy server to determine whether the requested resource is protected or not, it will send the URI portion of the URL along with the resolved AgentName.  If the combination of these two pieces of data match a protected realm, the resource will be considered protected.

Regards,
Pete

Jason Morriss's profile image
Jason Morriss posted Feb 02, 2022 02:11 PM
apparently, I can't respond to @Peter Burant, so I'll add this answer.

Thanks for that. And I have considered unprotecting index.php, but by doing so I'd effectively give a backdoor to anything on the site since everything runs through index.php (rewrite just prettifies the url and hides index.php).​ I'm amazed this works this way. It's a very common scenario to use a front-end controller like this to drive a PHP application. I thought the webagent would only see the requested URL and not care about the INTERNAL REDIRECT that Apache is doing.​
BalaKishore Gaddam's profile image
Broadcom Employee BalaKishore Gaddam posted Feb 11, 2022 02:45 AM
Hi Jason, 

ACO IgnoreURL would avoid isproctected call to policy server , also can be specific to webserver configuration 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/configuring/web-agent-configuration/performance/ignore-unprotected-resources.html#concept.dita_4bf1e7773adea26a26bb8968dd21148c98748e57_AllowUn-restrictedAccesstoURIs

IgnoreUrl="http://fullyqualifieddomainname/uri_name"
OR
IgnoreUrl="/uri_name"

Please check if helps