LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-08-2012, 07:56 AM   #1
linux1986
LQ Newbie
 
Registered: Sep 2011
Distribution: redhat
Posts: 14

Rep: Reputation: Disabled
Restrict http api calls


I want to restrict some systems to access urls like this. only some systems.
http://example.com:1234/abc/personId)
any idea now can this be done? and (personid) is a variable.
squid is the only way? because of the system load I cannot go with squid. is this can be done with iptables?
 
Old 05-08-2012, 08:53 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I don't believe that IPtables will be of any benefit to you as it seems you want to filter at the application level. Squid or another proxy would be your best choice, but I am not going to try to debate your position of "can't handle the load". Another option would be to configure the server page(s) for the particular URL with .htaccess which accepts a wide variety of authentication options, for example: http://home.golden.net/htaccess.html
 
Old 05-08-2012, 09:05 AM   #3
linux1986
LQ Newbie
 
Registered: Sep 2011
Distribution: redhat
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thanks for your reply. The thing is my server is providing information to mobile apps. So I have a lot of public api's. I can't block them from public. But there are some private api's also. That should be only accessed from three internal systems. And I cannot add additional authentication mechanisms. So my question is how to give access to the private api calls only from the three internal servers.
 
Old 05-08-2012, 09:22 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
Within apache, try some mod_rewrite fun - http://www.marmelune.net/en/drupal/d...l-with-apache/

Throw an additional RewriteCond checking on the REMOTE_ADDR value (presumably a regex matching your local subnet range) and you're done.
 
Old 05-08-2012, 09:24 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Now it sounds like you are changing the desired requirement. First you were saying you wanted to restrict URLs, which can be done with either .htaccess or the directory declaration in your host configuration. Now you want to restrict to private a "api", which when you say API, I interpret that as Application Program Interface, or in other words a function call or execution. Perhaps it would be best for you to provide a clear example of exactly what it is you are trying to do instead of playing obfuscation games?
 
Old 05-08-2012, 09:29 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
Quote:
Originally Posted by Noway2 View Post
Now it sounds like you are changing the desired requirement. First you were saying you wanted to restrict URLs, which can be done with either .htaccess or the directory declaration in your host configuration. Now you want to restrict to private a "api", which when you say API, I interpret that as Application Program Interface, or in other words a function call or execution. Perhaps it would be best for you to provide a clear example of exactly what it is you are trying to do instead of playing obfuscation games?
Doesn't seem changed to me. htaccess is at a different level to uri filtering, with the two fitting together perfectly well. Not that I ever like using htaccess files compared to putting into a proper httpd config directory include.
 
Old 05-08-2012, 09:57 AM   #7
linux1986
LQ Newbie
 
Registered: Sep 2011
Distribution: redhat
Posts: 14

Original Poster
Rep: Reputation: Disabled
Sorry if my post confused you. Below is my exact requirement.

I have a webserver(tomcat)running. suppose www.example.com
There is a lot of public api's which servers information to mobile apps. Such as,

http://www.example:1024/social/rest/...ties/(personId)
This personId is a variable if we give different values it gives different results.

But I have some api's which I have to keep private. Which should not be open in public. And those api's should be accessible for three other servers a1.example.com a2.example.com a3.example.com. Any idea how this can be done.

one guy just told I can use this
http://tomcat.apache.org/tomcat-7.0-...Address_Filter
I'm not familiar with tomcat. I'll update here if I find something.
 
Old 05-08-2012, 10:00 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
Missed my first reply?
 
Old 05-09-2012, 01:16 AM   #9
linux1986
LQ Newbie
 
Registered: Sep 2011
Distribution: redhat
Posts: 14

Original Poster
Rep: Reputation: Disabled
But that was for apache! I'm using tomcat.
 
Old 05-09-2012, 03:28 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
but you didn't think that was worth bothering to mention at the start??

Anyway, Apache is usually placed in front of Tomcat and then connected to with mod_proxy and mox_jk. I would still recommend this solution.
 
Old 05-09-2012, 06:58 AM   #11
linux1986
LQ Newbie
 
Registered: Sep 2011
Distribution: redhat
Posts: 14

Original Poster
Rep: Reputation: Disabled
@chris
I'm really sorry that I didn't mention it at the beginning. Even I thought Apache was running in front end. Later only I came to know that only tomcat is there. Now I'm trying it with Remote_Address_Filter in tomcat. But till yet not any improvement.
 
Old 05-10-2012, 02:21 AM   #12
linux1986
LQ Newbie
 
Registered: Sep 2011
Distribution: redhat
Posts: 14

Original Poster
Rep: Reputation: Disabled
I changed the setup to apache-tomcat with mod-jk. And I have created .htaccess file. But the problem is .htaccess works with apache serving directories but not the ones under tomcat. Any idea?
 
Old 05-10-2012, 08:20 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
well as I recommended, don't use htaccess in the first place. go direct to your config files.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how does java calls the system calls which are written in c babu198649 Linux - General 3 12-05-2011 04:40 AM
how to do an http request using linux API sha_neb Linux - Networking 7 05-22-2010 12:13 AM
Restrict Access to an HTTP Server and Allow the Site to be Accessible through HTTPS Hi_This_is_Dev Linux - Server 1 12-16-2009 07:53 AM
HTTP Server-Side API karlan Linux - Software 1 06-29-2005 10:24 AM
porting Win32 API calls to Linux integer Programming 3 03-30-2005 11:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration