Securing some URLs at my Reverse Proxy

I've got a reverse proxy setup using httpd 2.2.8 (on Windoze) on both
the rev proxy and the internal (origin) server, along with Tomcat on the
origin server with a couple webapps (as .war files) supporting the site.

Most of the application is at or near the root (/) of the origin server
(/index.html, etc.).

One of the Tomcat webapps has some URL paths that must be accessible to
the public, but others that should not.

So at the rev proxy server, I'd like to be able to lock out some URLs.

More specifically, I want to allow all access to / and below, except for
one particular path prefix (/foo) while allowing a handful of specific
paths down the otherwise denied path prefix.

So allow:
/
/a
/a/*
and deny
/foo and /foo/*
while allowing /foo/b/c/*

I've had some success with:
ProxyPass /foo/b/c/ http://origin:88/foo/b/c/
ProxyPassReverse /foo/b/c/ http://origin:88/foo/b/c/
ProxyPass /foo !
ProxyPass / http://origin:88/
ProxyPassReverse / http://origin:88/

But then requests to /foo/* "fall through" and the proxy tries to serve
them from its local documents (which don't generally exist, but still
it's messy and a bit disconcerting that this is allowing folks to poke
around).

Any suggestions on the best way to do this?

David

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org