apache.htaccessmod-rewriteopenid-connectmod-auth-openidc

rewritecond based on http status code


Is there any way in apache to set a rewrite condition based on what http code response you're getting? The server in front of an oauth proxy (apache) that redirects (302) to my auth provider; however I don't want it to proxy anything in the the websocket directory -- I'd rather it 403 instead. This is all to prevent it from constantly trying to reauth which it isn't authorized and building up lots of state cookies for OpenIDC.

Thanks for the consideration.

Something like this:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^my\.server\.co$
RewriteCond %{HTTP_RESPONSE} 302
RewriteCond %{REQUEST_URI}  ^/websocket
RewriteRule (.*) $1 [F,L,NC]

Solution

  • You should be able to use:

    <Location /websocket>
        OIDCUnAuthAction 401
    </Location>
    

    As documented here in the configuration primitives:

    # (Optional)
    # Defines the action to be taken when an unauthenticated request is made.
    # "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
    # "401" means that HTTP 401 Unauthorized is returned.
    # "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
    # Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
    # When not defined the default "auth" is used.
    #OIDCUnAuthAction [auth|pass|401]
    

    (well it would return a 401 status code instead of a 403)