Discussion:
ProxyAllow as opposite for ProxyBlock
Stefan Kroon
2003-10-03 17:13:53 UTC
Permalink
Hi,

I want to use mod_proxy to connect to my own server-application that is
running at the same host at another port. I want to do it by using
AllowCONNECT. I want to connect to that server-application using port 80,
because often companies allow outbound connections only to port 80 (and
443). But this port is already used by the apache server. I prefer to
connect to the same host, because I use a Java-Applet to connect to the
server-application. Under normal circumstances a Java-Applet may only
connect to the originating host (where the applet is downloaded from).

With the ProxyBlock directive it is possible to block all or some specified
sites, but I want to use a kind of ProxyAllow so it is only allowed to
connect to my server-application by using the 'CONNECT'-request.

I took a look into the apache (module) sources and I think it is not too
hard to add the ProxyAllow directive. But I want to ask you if you support
the solution and think whether it is useful to add the ProxyAllow-directive?
Maybe I can use a different solution to reach my goal?

Thank you,
Stefan Kroon

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
Graham Leggett
2003-10-03 17:30:57 UTC
Permalink
Post by Stefan Kroon
I took a look into the apache (module) sources and I think it is not too
hard to add the ProxyAllow directive. But I want to ask you if you
support the solution and think whether it is useful to add the
ProxyAllow-directive? Maybe I can use a different solution to reach my
goal?
There are three types of protocols that can be supported by proxy: ftp,
http and connect. One strategy that might work for you is to use
ProxyBlock to deny access to ftp and http, while not denying access to
connect.

Regards,
Graham
--
Stefan Kroon
2003-10-04 18:22:35 UTC
Permalink
Graham Leggett heeft op vrijdag, 3 okt 2003 om 19:30 (Europe/Amsterdam)
Post by Stefan Kroon
I took a look into the apache (module) sources and I think it is not
too hard to add the ProxyAllow directive. But I want to ask you if
you support the solution and think whether it is useful to add the
ProxyAllow-directive? Maybe I can use a different solution to reach
my goal?
ftp, http and connect. One strategy that might work for you is to use
ProxyBlock to deny access to ftp and http, while not denying access to
connect.
Regards,
Graham
--
Hi Graham,
Indeed I meant to use the 'connect'. This connect allows you to connect
to any host on the Internet. By default it is only allowed to connect
to port 80 or 443 to any not-blocked host. But when you use the
AllowCONNECT directive, it is allowed to connect to any other port at
any other host. You will understand that that will cause a security
leak, because people can misuse this for ip-spoofing. So I want to
narrow the number of hosts and ports that can be accesed using the
'CONNECT'-request. I want the downloaded Java-Applet be able to connect
to my own server-application by using port 80.

Regards,
Stefan

Loading...