How to block specific API at Apache level?

Block access to the public API calls.

Open the Apache’s configuration file and add below code snippet in the <VirtualHost> directive.

The below configuration is example to block access to unauthorised API calls of institute, sites and users module.

1 2 3 4 5 6 7 8 9 10 RewriteEngine On RewriteCond %{HTTP:X-OS-API-TOKEN} ^$ RewriteCond %{HTTP:Cookie} !^osAuthToken RewriteRule .*?(institutes|sites|users) - [F] #If URL is like https://test.openspecimen.org/os-test then configuration changes as below. RewriteEngine On RewriteCond %{HTTP:X-OS-API-TOKEN} ^$ RewriteCond %{HTTP:Cookie} !^osAuthToken RewriteRule .*?os-test.*?(institutes|sites|users) - [F]

 

Block all the URLs except the specimen catalog URL.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <VirtualHost *:80> ServerName <domain name> ProxyPass / ajp://localhost:8009/openspecimen/ ProxyPassReverse / ajp://localhost:8009/openspecimen/ ....... ....... RewriteEngine On RewriteRule ^/fonts/ - [L] RewriteRule ^/styles/ - [L] RewriteRule ^/images/ - [L] RewriteRule ^/modules/ - [L] RewriteRule ^/plugin-ui-resources/ - [L] RewriteRule ^/rest/ng/(specimen-catalogs|user-otp-details|external-dashboards|config-settings) - [L] RewriteRule ^/rest/ng/.*$ - [F] </VirtualHost>


Block all URLs except participant.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 <VirtualHost> ..... RewriteEngine On RewriteCond %{REQUEST_URI} ^/<instance-name>/rest/ng/participants/\d+$ RewriteRule ^.*$ - [F] </VirtualHost> Example: <VirtualHost> ..... RewriteEngine On RewriteCond %{REQUEST_URI} ^/openspecimen-test/rest/ng/participants/\d+$ RewriteCond %{REQUEST_URI} ^/openspecimen-production/rest/ng/participants/\d+$ RewriteRule ^.*$ - [F] </VirtualHost>

Once the configuration is done. Restart the Apache server.