Home

 

Specify a separate file download domain using rewrite rules


Overview

Files added to the Activities, Blogs, or Files features could potentially contain malicious code that can exploit the cross-site scripting vulnerabilities of some browsers. You can add rewrite rules to the IBM HTTP Server configuration file to force any downloaded files to be recognized by the Web browser as content that is independent from the feature from which it was downloaded, and treat it accordingly.

Most Web browsers have security features that prevent scripts which originate from one domain from accessing information in a browser session in another domain. This security feature is loosely called the same origin policy. A domain is made up of a protocol (such as HTTP) and the domain (host name) that the page is loaded from. You can implement the following procedure to force files downloaded from Activities, Blogs, or Files to be identified as coming from a different domain than the feature's Web browser session.

When Siteminder is configured, the cookie domain is determined by the Siteminder CookieDomain configuration, which defines a single, fixed domain in IBM HTTP Server. This means without additional effort, downloads must share single sign-on with the application if Siteminder is used. See Mitigating a cross site scripting attack for more information about this risk.


Minimize cross-site scripting risk posed by files downloaded from an activity, blog, or file collection

  1. Register a new DNS domain alias for downloads from the Activities, Blogs, or Files sites, which points to the Activities, Blogs, or Files domain respectively. For example, if your server domain name for Activities is...

      activities.acme.com

    ..you could name the alias...

      activities-downloads.acme.com

    ..and have it point to the same IP address.

  2. If required, configure a certificate for the download domain.

  3. Edit httpd.conf

    • AIX: /usr/IBM/HTTPServer/conf
    • Linux: /opt/IBM/HTTPServer/conf
    • Microsoft Windows: C:\IBM\HTTPServer\conf

  4. Enable the rewrite module. If the following line of text is commented out, uncomment it. If the statement is not present, add it.

      LoadModule rewrite_module modules/mod_rewrite.so

  5. Edit the configuration to indicate that the download domain allows download and login actions only and forbids all other actions. To do so, add the following block of text to the non-SSL virtual host section of the configuration file:

    • Activities:

        RewriteEngine On
        RewriteCond %{SERVER_NAME} !activities-downloads.acme.com$ [NC] RewriteCond $1 !.*activitiesExtendedDescription.*$ [NC] RewriteRule ^/activities/service/download/(.+)$ http://activities-downloads.acme.com/
        activities/service/download/$1 [L]
        RewriteCond %{SERVER_NAME} ^activities-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)$ [NC] RewriteCond %{REQUEST_URI} !^/activities/auth/j_security_check$ RewriteRule .* - [F]
        RewriteCond %{SERVER_NAME} ^activities-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC] RewriteCond %{REQUEST_URI} !^/activities/auth/login.jsp$ RewriteCond %{REQUEST_URI} !^/activities/auth/j_security_check$ RewriteCond %{REQUEST_URI} !^/activities/nav/.+$ RewriteCond %{REQUEST_URI} !^/activities/bundles/.+$ RewriteCond %{REQUEST_URI} !^/activities/styles/.+$ RewriteCond %{REQUEST_URI} !^/activities/javascript/.+$ RewriteRule !^/activities/service/download/(.+)$ - [F]

    • Blogs:

        RewriteEngine On
        RewriteCond %{SERVER_NAME} !^blogs-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC] RewriteRule ^/blogs/(.+)/resource(/.+)?$ http://blogs-downloads.acme.com/ blogs/$1/resource$2 [L]
        RewriteCond %{SERVER_NAME} ^blogs-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)$ [NC] RewriteCond %{REQUEST_URI} !^/blogs/j_security_check$ RewriteRule .* - [F]
        RewriteCond %{SERVER_NAME} ^blogs-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/login.do$ RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/login-redirect.jsp$ RewriteCond %{REQUEST_URI} !^/blogs/j_security_check$ RewriteCond %{REQUEST_URI} !^/blogs/bundles/css/.+$ RewriteCond %{REQUEST_URI} !^/blogs/nav/.+$ RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/images/.+$ RewriteCond %{REQUEST_URI} !^/blogs/.+/resource(/.+)?$ RewriteRule .* - [F]

    • Files:

        RewriteEngine On
        RewriteCond %{SERVER_NAME} !^files-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC] RewriteRule ^/files(/.*)?/(document|draft|attachment|version)/([^/]*)/
        media(/[^/]*/*)?$ http://files-downloads.acme.com/files$1/$2/$3/media$4 [L]

        # If SSL is enabled for the component, remove the commenting from the two
        # lines below to redirect the login.
        # RewriteCond %{SERVER_NAME} ^files-downloads.acme.com$ [NC]
        # RewriteRule ^/files/login$ https://files-downloads.acme.com/files/login [L]
        RewriteCond %{SERVER_NAME} ^files-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} !^(GET|HEAD)$ [NC] RewriteCond %{REQUEST_URI} !^/files/j_security_check$ RewriteRule .* - [F]
        RewriteCond %{SERVER_NAME} ^files-downloads.acme.com$ [NC] RewriteCond %{REQUEST_METHOD} ^(GET|HEAD)$ [NC] RewriteCond %{REQUEST_URI} !^/files/login$ RewriteCond %{REQUEST_URI} !^/files/j_security_check$ RewriteCond %{REQUEST_URI} !^/files/images/.+$ RewriteCond %{REQUEST_URI} !^/files/nav/.+$ RewriteCond %{REQUEST_URI} !^/files/js/.+$ RewriteCond %{REQUEST_URI} !^/files(/.*)?/(document|draft|attachment|version)/
        ([^/]*)/media(/[^/]*/*)?$
        # If the IHS fast file serving module (mod_ibm_local_redirect.so) is enabled,
        # then you need to add access on the download domain for the alias you added
        # when configuring the module by replacing <FILES_CONTENT_DIR> with this value
        # and uncommenting the rule below.
        # See Configuring Files and Wikis downloading for production deployments
        # RewriteCond %{REQUEST_URI} !^/<FILES_CONTENT_DIR>/.+$ RewriteRule .* - [F]

    If you are cutting and pasting these statements into the configuration file, be advised that we have added hard returns to long statements to enable them to be displayed on the Web page. Be sure to remove the hard-coded returns from long statements, such as URLs, after you paste them into the configuration file.

    Replace references to .acme.com with the alias that you created for the download domain for files downloaded from the feature.

  6. If you are sending traffic over SSL, add the same set of statements to the SSL virtual host section of the configuration file, but update all Web address references to indicate HTTPS instead of HTTP.

    There are a few statements in the snippets for Files that must be either included or commented out depending on whether or not SSL is enabled.

  7. Add the rule in the previous step to any virtual host sections of the configuration file.

  8. Save and close the configuration file.


Mitigating a cross site scripting attack

 

Related tasks

Mitigating a cross site scripting attack

Configure Files and Wikis downloading for production deployments

+

Search Tips   |   Advanced Search