Splitting access by WebServer port

Article

Eduard Lebedyuk · Feb 7 2m read

Recently, I needed to run WebGateway on an additional port but with a twist - this port should publish only one web application.
At first, I thought about configuring Web Gateway to allow only specific web applications (~urls), but Web Gateway configuration is per Apache configuration:

LoadModule csp_module_sa "/opt/webgateway/bin/CSPa24.so"
CSPModulePath "/opt/webgateway/bin/"
CSPConfigPath "/opt/webgateway/bin/"

And while LoadModule has two allowed contexts, server config and virtual host, the csp module must be loaded once in the server context.

But we can use two VirtualHosts and here's how:

CSPModulePath /iris/csp/bin/
CSPConfigPath /iris/csp/bin/
LoadModule csp_module_sa /iris/csp/bin/CSPa24.so

Listen 443
Listen 10443
<VirtualHost *:443>
  <Location />
    CSP On
  </Location>
</VirtualHost>

<VirtualHost *:10443>
  <Location /myapp/>
    CSP On
  </Location>
</VirtualHost>

Full httpd.conf

ServerRoot "/iris/httpd"
DocumentRoot "/iris/csp"
CSPModulePath /iris/csp/bin/
CSPConfigPath /iris/csp/bin/
LoadModule csp_module_sa /iris/csp/bin/CSPa24.so
User irisusr
Group irisusr

ServerName localhost
PidFile /iris/httpd/logs/httpd.pid
TraceEnable off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 120
UseCanonicalName Off

<Directory />
Options MultiViews FollowSymLinks
AllowOverride None
Require all granted
<FilesMatch "\.(log|ini|pid|exe|so)$">
Require all denied
</FilesMatch>
</Directory>

TypesConfig conf/mime.types
HostnameLookups Off

ErrorLog /iris/httpd/logs/error.log
LogLevel error
LogFormat "%h %l %u %t \"%r\" %>s %b" common

StartServers 5
MinSpareThreads 2
MaxSpareThreads 20
ServerLimit 256
ServerTokens Prod

Include conf/httpd-doc.conf
Include conf/httpd-local.conf
Listen 443
Listen 10443

<VirtualHost *:443>

# We need a servername, it has not effect but is required by apache
ServerName mysecureinstance

# Turn on SSL for this Virtual Host
SSLEngine on
SSLCertificateFile "/etc/certs/apache.crt"
SSLCertificateKeyFile "/etc/certs/apache.key"
<Location />
CSP On
</Location>
</VirtualHost>
<VirtualHost *:10443>

# We need a servername, it has not effect but is required by apache
ServerName mysecureinstance

# Turn on SSL for this Virtual Host
SSLEngine on
SSLCertificateFile "/etc/certs/apache.crt"
SSLCertificateKeyFile "/etc/certs/apache.key"
<Location /myapp/>
CSP On
</Location>
</VirtualHost>

Virtual Hosts use the same WebGateway and the same CSP Config, but only /myapp/ urls are available on port 10443. Anything else gets 404 from Apache.