Symantec Access Management

Customer want limit access to his applications based on client IP.

We have suggested IP limits feature on Domain and partnership level, but he want avoid that login page will be opened.

Then we try to use rewrite rules, but it does not works as we expected.

We have load rewrite module

       LoadModule rewrite_module modules/mod_rewrite.so

Enable Rewrite module trace

        LogLevel warn rewrite:trace3

Enable Rewrite engine

      RewriteEngine On

Define Rewrite condition and rule

      RewriteCond %{REMOTE_ADDR} ^192\.168\.80\.1$
      RewriteRule ^ https://sps01.cmdom.ca/affwebservices/public/notauthorized.html [L,R=301]
    

Example should exclude access from my fisical PC to my SPS VM, but result is very strange.

Since I have enabled access on both ports 80 and 443, when I try to access on port 80 I'm redirected to defined notauthorized page.

But when I tray to access on 443 (https) redirection does not happen.

in my test I have used followed links:

http://sps01.cmdom.ca/affwebservices/public/saml2sso?SPID=SP_WORKDAY 

I have been redirected to "not authorization" page

https://sps01.cmdom.ca/affwebservices/public/saml2sso?SPID=SP_WORKDAY 

I have continued with navigation.

Obviously when RewriteRules are not in place I continue with navigation in both cases.

Any Idea how to done this task?

Thank you

Camil

Hi Camil,

Ensure to add a Directory directive to your SSL virtualhost. You can add the same used for HTTP, like:

<Directory /var/www/exemple.com>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

The use of mod_rewrite requires AllowOverride to be set to act; check your ssl conf file to ensure this is set.

I hope it helps!

Albert.

Thank you Albert,

We speak aboud CA Access Gateway, I'm not sure in which part I can insert suggested code. Already tried in existing Directory .... but I have got errors like this one:

      AH00526: Syntax error on line 229 of /opt/CA/secure-proxy/httpd/conf/extra/httpd-ssl.conf:
      Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration

Thanks

Camil

Hi Camil,

I was thinking in Apache server only when I was seeing all the Rewrite directives... Have you added the rewrite rule and condition only in httpd.conf? Or did you added it as well under the VirtualHost for 443 in httpd-ssl.conf? I mean these:

RewriteCond %{REMOTE_ADDR} ^192\.168\.80\.1$
RewriteRule ^ https://sps01.cmdom.ca/affwebservices/public/notauthorized.html [L,R=301]

Best regards,

Albert

Thank you very much Albert.

It works!

So I have chosen following configuration for test:

in the /opt/CA/secure-proxy/httpd/conf/httpd.conf

Load rewrite module (soon after LoadModule section):

      LoadModule rewrite_module modules/mod_rewrite.so

At end of file added (I have choosen an external url in order to avoid loop) :

      RewriteEngine On
      RewriteCond %{REMOTE_ADDR} ^192\.168\.80\.1$
      RewriteRule ^ https://it.wordpress.org/plugins/all-404-redirect-to-homepage/ [L,R=301]

In the /opt/CA/secure-proxy/httpd/conf/extra/httpd-ssl.conf

before of the </VirtualHost> (end of VH configuration) added:

      RewriteEngine On
      RewriteCond %{REMOTE_ADDR} ^192\.168\.80\.1$
      RewriteRule ^ https://it.wordpress.org/plugins/all-404-redirect-to-homepage/ [L,R=301]
 

Thank you again.

Camil