ProxyAllow as opposite for ProxyBlock

ProxyAllow as opposite for ProxyBlock

am 03.10.2003 19:13:53 von Stefan Kroon

Hi,

I want to use mod_proxy to connect to my own server-application that is
running at the same host at another port. I want to do it by using
AllowCONNECT. I want to connect to that server-application using port 80,
because often companies allow outbound connections only to port 80 (and
443). But this port is already used by the apache server. I prefer to
connect to the same host, because I use a Java-Applet to connect to the
server-application. Under normal circumstances a Java-Applet may only
connect to the originating host (where the applet is downloaded from).

With the ProxyBlock directive it is possible to block all or some specified
sites, but I want to use a kind of ProxyAllow so it is only allowed to
connect to my server-application by using the 'CONNECT'-request.

I took a look into the apache (module) sources and I think it is not too
hard to add the ProxyAllow directive. But I want to ask you if you support
the solution and think whether it is useful to add the ProxyAllow-directive?
Maybe I can use a different solution to reach my goal?

Thank you,
Stefan Kroon

____________________________________________________________ _____
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus

Re: ProxyAllow as opposite for ProxyBlock

am 03.10.2003 19:30:57 von Graham Leggett

Stefan Kroon wrote:

> I took a look into the apache (module) sources and I think it is not too
> hard to add the ProxyAllow directive. But I want to ask you if you
> support the solution and think whether it is useful to add the
> ProxyAllow-directive? Maybe I can use a different solution to reach my
> goal?

There are three types of protocols that can be supported by proxy: ftp,
http and connect. One strategy that might work for you is to use
ProxyBlock to deny access to ftp and http, while not denying access to
connect.

Regards,
Graham
--

Re: ProxyAllow as opposite for ProxyBlock

am 04.10.2003 20:22:35 von Stefan Kroon

Graham Leggett heeft op vrijdag, 3 okt 2003 om 19:30 (Europe/Amsterdam)
het volgende geschreven:

> Stefan Kroon wrote:
>
>> I took a look into the apache (module) sources and I think it is not
>> too hard to add the ProxyAllow directive. But I want to ask you if
>> you support the solution and think whether it is useful to add the
>> ProxyAllow-directive? Maybe I can use a different solution to reach
>> my goal?
>
> There are three types of protocols that can be supported by proxy:
> ftp, http and connect. One strategy that might work for you is to use
> ProxyBlock to deny access to ftp and http, while not denying access to
> connect.
>
> Regards,
> Graham
> --
>

Hi Graham,
Indeed I meant to use the 'connect'. This connect allows you to connect
to any host on the Internet. By default it is only allowed to connect
to port 80 or 443 to any not-blocked host. But when you use the
AllowCONNECT directive, it is allowed to connect to any other port at
any other host. You will understand that that will cause a security
leak, because people can misuse this for ip-spoofing. So I want to
narrow the number of hosts and ports that can be accesed using the
'CONNECT'-request. I want the downloaded Java-Applet be able to connect
to my own server-application by using port 80.

Regards,
Stefan