rewritecond based on http status code

Question

Is there any way in apache to set a rewrite condition based on what http code response you're getting? The server in front of an oauth proxy (apache) that redirects (302) to my auth provider; however I don't want it to proxy anything in the the websocket directory -- I'd rather it 403 instead. This is all to prevent it from constantly trying to reauth which it isn't authorized and building up lots of state cookies for OpenIDC.

Thanks for the consideration.

Something like this:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^my\.server\.co$
RewriteCond %{HTTP_RESPONSE} 302
RewriteCond %{REQUEST_URI}  ^/websocket
RewriteRule (.*) $1 [F,L,NC]

Answer 1

Yes, there is.

TL;DR - respond 404 when 403

The error document may have to exist.

ErrorDocument 404 /404.html

RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 403
RewriteRule ^ - [R=404,L]

---

You would create a file 404.html in the web root. NOTE: Doesn't work with deny from all!

The Apache "Environment Variables" (!NOT! system env. vars)

A quote from these docs: https://httpd.apache.org/docs/2.4/env.html#preamble

Second, the Apache HTTP Server provides a mechanism for storing information in named variables that are also called environment variables

The access to %{ENV:variable} is documented in:

• "Environment Variables in Apache" > "Using Environment Variables > "URL Rewriting"
• Link: https://httpd.apache.org/docs/2.4/env.html#url-rewriting

REDIRECT_STATUS

Important quotes from these docs: https://httpd.apache.org/docs/2.4/custom-error.html#variables

REDIRECT_URL, REDIRECT_STATUS, and REDIRECT_QUERY_STRING are guaranteed to be set, and the other headers will be set only if they existed prior to the error condition

REDIRECT_ environment variables are created from the environment variables which existed prior to the redirect

I tried to find some sort of official list with Apache environment variables, but the best I could find was in the link above in:

• "Custom Error Responses" > "Available Variables"
• Link: https://httpd.apache.org/docs/2.4/custom-error.html#variables

I'm guessing it is implied that you know what it means when you're got this far 🤷

RewriteRule Flags [R=404,L]

1. R - although it referres to "R|redirect", it doesn't have to mean Location redirect:

The status code specified need not necessarily be a redirect (3xx) status code. However, if a status code is outside the redirect range (300-399) then the substitution string is dropped entirely, and rewriting is stopped as if the L were used. 2. L referres to "L|last" - basically don't do anything else: The [L] flag causes mod_rewrite to stop processing the rule set. In most contexts, this means that if the rule matches, no further rules will be processed.

_{BTW: this answer is according to the Apache 2.4 docs - Apache 2.4 was released in 2012}

Answer 2

Other solution

RewriteEngine on

ErrorDocument 403 /%{REQUEST_URI}/403.shtml
ErrorDocument 404 /%{REQUEST_URI}/404.shtml

RewriteCond %{REQUEST_URI} /([0-9]{3}+).shtml$ [NC]
RewriteRule (.*) $1 [R=%1,L]

Answer 3

You should be able to use:

<Location /websocket>
    OIDCUnAuthAction 401
</Location>

As documented here in the configuration primitives:

# (Optional)
# Defines the action to be taken when an unauthenticated request is made.
# "auth" means that the user is redirected to the OpenID Connect Provider or Discovery page.
# "401" means that HTTP 401 Unauthorized is returned.
# "pass" means that an unauthenticated request will pass but claims will still be passed when a user happens to be authenticated already
# Useful in Location/Directory/Proxy path contexts that serve AJAX/Javascript calls and for "anonymous access"
# When not defined the default "auth" is used.
#OIDCUnAuthAction [auth|pass|401]

(well it would return a 401 status code instead of a 403)