Question

Due to cybersecurity critical vulnerabilities, customer is asking on how to disable https:\\<BRAND_NAME>/auth/ URL Keycloak access for certain brand.

Answer

Based in the apache configuration documentation Apache Docs, <LocationMatch> can be used  to disable any specific URL path pattern.

Therefore, <LocationMatch> tag will need to be used inside the apache configuration file of the requested brands.

Resolution

1st: We will need to ssh into the branding-ui pod branding-ui-cluster-ui container container  

kubectl exec -ti branding-ui-cluster-ui-<pod_id> -c branding-ui-cluster-ui -- /bin/bash

2nd: 

Edit /etc/httpd/brand.conf.d/<brand_name.conf> https VirtualHost as follow:

<VirtualHost *:443>
        ServerName <server-name>
        DocumentRoot /var/www/brands/<Brand_Name>
        <LocationMatch "\/auth(\/)$.*">
                Require all denied
        </LocationMatch>
        <IfDefine !USE_CUSTOM_DEFAULT_PROXY_TIMEOUT>
                ProxyTimeout 300
        </IfDefine>
        <IfDefine USE_CUSTOM_DEFAULT_PROXY_TIMEOUT>
                ProxyTimeout ${DEFAULT_PROXY_TIMEOUT}
        </IfDefine>

        SSLEngine on
        SSLProxyEngine on

<IfModule mod_cache.c>

3rd: Restarting the branding-ui pod in branding-ui-cluster-httpd container will also be required:

kubectl exec -ti branding-ui-cluster-ui-<pod_id> -c branding-ui-cluster-httpd -- /bin/bash

4rd: To permanently apply these changes customer could export/import the config files so after every pod restart changes could again be applied:

kubectl cp branding-ui-cluster-ui-<POD_ID>:/etc/httpd/brand.conf.d/<brand-name.conf>  <k8s node destination path/new_file_name>

kubectl cp  <k8s node destination path/new_file_name> branding-ui-cluster-ui-<POD_ID>:/etc/httpd/brand.conf.d/<brand-name.conf>