New post
Article
· Feb 7 2m read

Splitting access by WebServer port

#Web Gateway #InterSystems IRIS

Recently, I needed to run WebGateway on an additional port but with a twist - this port should publish only one web application.
At first, I thought about configuring Web Gateway to allow only specific web applications (~urls), but Web Gateway configuration is per Apache configuration:

LoadModule csp_module_sa "/opt/webgateway/bin/CSPa24.so"
CSPModulePath "/opt/webgateway/bin/"
CSPConfigPath "/opt/webgateway/bin/"

And while LoadModule has two allowed contexts, server config and virtual host, the csp module must be loaded once in the server context.

But we can use two VirtualHosts and here's how:

CSPModulePath /iris/csp/bin/
CSPConfigPath /iris/csp/bin/
LoadModule csp_module_sa /iris/csp/bin/CSPa24.so

Listen 443
Listen 10443
<VirtualHost *:443>
  <Location />
    CSP On
  </Location>
</VirtualHost>

<VirtualHost *:10443>
  <Location /myapp/>
    CSP On
  </Location>
</VirtualHost>
 
Full httpd.conf

Virtual Hosts use the same WebGateway and the same CSP Config, but only /myapp/ urls are available on port 10443. Anything else gets 404 from Apache.

Discussion (3)2
Log in or sign up to continue
Enrico Parisi · Dec 21

Hi @Eduard Lebedyuk , I was testing various options for configuring Apache (RHEL in my case), so I read the documentation (unbelievable, isn't it? 😂) and performed a number of tests, the I found this article  in the community and....I was kind of surprised because you suggest using CSP On/Off within a <VirtualHost> directive block.

I was surprised because the I excluded using <VirtualHost> directive block since the documentation suggests not using it (emphasis mine):

Note:

Although the Web Gateway supports the use of virtual host names in application access profiles, issuing Apache configuration directives to invoke the Web Gateway (that is, CSPFileTypes and CSP On/Off) within a <VirtualHost> directive block is not supported and will yield an error. In other words, you cannot enable the Web Gateway for the desired Virtual Hosts alone; you must enable the Web Gateway within the web server’s global configuration.

My my first thought was, well, this is a case where the documentation is wrong, sometimes it has happened.

At that point I was puzzled, so I tried using <VirtualHost> and, to my surprise, it worked!

Then I tried to validate my Apache config using "apachectl configtest" and:

[root@localhost conf]# apachectl configtest
[Sat Dec 21 17:22:39.632408 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
[Sat Dec 21 17:22:39.632471 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
[Sat Dec 21 17:22:39.632480 2024] [:warn] [pid 151005:tid 151005] Apache Configuration: CSP directive 'csp' detected in VirtualHost, only supported at default server level
Syntax OK

Not only is documented that using CSP On/Off within a <VirtualHost>, there is also some code implemented in CSPa24.so IRIS module to check for this and provide a warning message that says this is not supported.

Personally I'll avoid using CSP On/Off within a <VirtualHost> (at least) in production systems, unless some more info is found on this.

1 0