Stop redirecting to SSO portal by default, report HTTP error instead

Hello everyone,

with the standard installation, access to the HTTP server will by default redirect to the SSO sign-in page, even if the requested URL is not supposed to exist. It can be observed in the access log. For instance, here a robot tried to access “humans.txt” (whatever the reason) and it was redirected to the SSO login page:

93.158.90.71 - - [24/Feb/2023:01:29:24 +0100] "GET /humans.txt HTTP/1.1" 302 138 "http://mydomain.fake/humans.txt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
93.158.90.70 - - [24/Feb/2023:01:29:25 +0100] "GET /yunohost/sso/?r=aHR0cHM6Ly9vY3JvcXVldHRlLmZyL2h1bWFucy50eHQ= HTTP/1.1" 200 3087 "https://mydomain.fake/humans.txt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

It reveals immediately that the server is running Yunohost to any human or robot, and the login page. While security by obscurity alone is not a good idea, giving information for free is not either. In addition, the standard behavior on the web is to send an error 404 for invalid URLs, for instance https://google.com/invalid_page

So I looked how to do this on Yunohost, and it turned out to be difficult. I was not the first one, I found some similar requests:

• [Résolu] Cacher le SSO / Hide SSO by @OverSu
• Custom 404 page / hide sso portal - page 404 / cacher portail sso by @pcet
• [Solved] How to change the default page before signing in? @xof

But unfortunately there is no solution that would look clean and/or work with the current version of Yunohost (SSO was refactored in the meantime).

After a couple of hours hacking around, I found the following “solution”:

/etc/ssowat/conf.json.persistent

{
    "redirected_regex": {
        "https?://[^/]+/(?!app1[\\Z/]|app2[\\Z/]|yunohost[\\Z/]|\\.well-known/).*": "https://mydomain.fake/landing_page"
    }
}

The “landing_page” is a “My_webapp” app with no index.html. Accessing it sends back a 403 error, which is good enough for me.
This solution has majors drawbacks though:

• the list of URLs (app1, app2…) has to be maintained manually in redirected_regex
• the format of redirected_regex is cumbersome (it is a PCRE regex by the way, not Python’s)
• maybe this will have some unwanted side-effects, especially after updates

Are there some better ways to achieve this?

@Aleks Would it be theoretically possible to add this behavior as an option?

My next step is to try to customize the SSO URL, to avoid robots to be able to identify Yunohost servers easily. In case of security issues in Yunohost (patched or unpatched), this will prevent finding targets easily.

+1 !!

This would be awesome.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.