John's Blog: URL Cloaking

June 12, 2012

As users move through your Rumpus server, the URL bar in their browser will normally show the user the file path to each file or folder they view. This is usually good information, as it reinforces to users where on the server they reside and is consistent with most other Web services on the 'net. But there may be cases where you would prefer to make the access URL for each file and folder on your system a little less obvious, so let's take a look at URL "cloaking".

Before we begin, a note: This method, which is similar to DNS "masking", does not significantly improve server security. Casual end users will see less information about the structure of the content on the server, but this information will be almost trivially easy to obtain by anyone with basic knowledge of how the Web works. It is important that this technique is not used as an alternative to other common-sense server security practices.

Create A Cloaking 'Frame' Page

We're going to create a page which will be placed on your primary Web site and will embed your Rumpus service. The page can be given any name you like but I'll refer to it as "FileService.html". It's contents will look like this:

<html>
<head>
<style type="text/css">
html { overflow: hidden; }
body { border: 0; margin: 0; padding: 0; }
#RumpusFrame { border: 0; margin: 0; padding: 0; }
</style>
<title>File Service</title>
</head>
<body>
<iframe name='File Service' id='RumpusFrame' src='http://rumpus.server.address/' width='100%'
height='100%' scrolling='no' frameBorder='0'>
<p>Your browser does not support iframes.</p>
</iframe>
</body>
</html>

Copy the text above and paste it into a text file. Replace the term "File Service" with whatever term you like (in 2 places), and change "rumpus.server.address" to reflect the address of your server. Now, just save the file to your primary Web server and access that page normally.

You should see your Rumpus login page and be able to log in and perform actions normally, with the only difference being that the URL bar in the browser will display the access URL of the "FileServer.html" page on your primary Web server, rather than the URL used to access content on your Rumpus server.

Fixing Microsoft Internet Explorer Access

There is a problem with MSIE due to a security requirement Microsoft imposes, and the fact that the Rumpus service is now embedded within a frameset. Basically, since the Rumpus server is embedded inside the frameset served from another source, MSIE considers the Rumpus server to be a "3rd party" server, and won't process cookies, which Rumpus uses for authentication.

What you'll need to do is set up a privacy policy in Rumpus, so that MSIE will correctly process the login cookies. In Rumpus, open the "Web Settings" window and flip to the "Advanced" tab. Set the "Extra Header" field to:

    P3P: CP='CAO PSA OUR'

Doing this causes Rumpus to send that header line in HTTP responses. The line tells browsers that your organization has a privacy policy that protects user's personal information. You really should have such a policy in place if your server is going to do that, but there is no technical enforcement.

Additional Extensions

This technique can be used for additional Web site customization and integration. The "FileService.html" page shown above causes the Rumpus frame to fill the entire browser window, but with some fairly simple HTML work, the Rumpus frame can be made to fill only part of the page. The rest of the page can be used for instructions, notices, banners or any other content you choose.

© Copyright 2017, Maxum Development Corp.