You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Adam Ardis <aa...@yahoo.com> on 2003/04/29 21:13:33 UTC

[users@httpd] Proxy issue with v.1.3.27 on Solaris 7

Hello,

Recap of problem:

I'm attempting to close off open proxy of my site to
specific servers only, and I'm having an issue where I
cannot properly deny sites.  I've gone through the
mod_access and mod_proxy docs on apache.org, and also
tried alt.apache.configuration.  I'm hopeful someone
here sees what the problem could be, or could lead me
to more questions.  I'm running apache 1.3.27 compiled
with openssl 0.9.7 on solaris 7.

This is the section in my httpd.conf for my proxy:

<IfModule mod_proxy.c>
ProxyRequests On
<Directory proxy:*>
    Order Deny,Allow
    Deny from all
    Allow from mydomain.com outsidedomain.com
10.128.27.18
</Directory>
</IfModule>

This does allow the site to proxy the domains/ip in
the allow from section, but I'm not getting the deny. 
I've also tried to switch around to Order Allow,Deny
and the 2 lines below, but that did not work either. 
I've also changed my Allow from line to just one
domain to check if my spacing was the problem by
chance, or that I had IP and domain names mixed.  

What I'm looking for is a lead on what I could
potentially be doing wrong.  Maybe I didn't build the
apache version correctly?  mod_proxy and mod_access
are loaded, and the page functions properly on all
other levels.  

As a note, I previously had the server set up with
stronghold 3.0/apache 1.3.12 with the proxy section as
above, and it did block out the proxy requests I
didn't want.  

Any advice would be greatly appreciated, as I'm not
getting anywhere with the trial and error tactics I've
been trying.  I'm obviously doing something wrong.

Thanks in advance for your time,
Adam

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proxy issue with v.1.3.27 on Solaris 7

Posted by Lee Fellows <lf...@4lane.com>.

On Tue, 2003-04-29 at 16:21, Adam Ardis wrote:
> Sorry, I didn't mention that part of it.  I see the
> proxy requests in my access_log, and I can also
> manually set my browser(Netscape) to proxy through
> www.mydomain.com port 80 and it will successfully pull
> up web pages. 

  Shouldn't you be able to?  (You are in one of the domains/IP addresses
  being allowed, correct?).

>  I can't get an example from the logs
> right now, but the requests were clear, with '200'
> answers instead of what I'd hope for(403).

  Not sure this is correct.  You would need to access the site from
  a disallowed point and attempt to proxy through it.  See what you
  get.  I am not sure of this in all cases, but discussion here before
  has indicated that the server will return the default page for your
  site and a 200 status, but not proxy the request.  But I could easily
  be mistaken on this.  Either way: you need to test from a disallowed
  address to determine whether it is or is not working as expected.

  HTH

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proxy issue with v.1.3.27 on Solaris 7

Posted by Adam Ardis <aa...@yahoo.com>.

Sorry, very embarrassing now, I have closed off the
proxy.  I was going by our security guys word that the
proxy was still open, without checking myself. 
That'll teach me!

Thanks, and sorry,
Adam 

--- Adam Ardis <aa...@yahoo.com> wrote:
> Sorry, I didn't mention that part of it.  I see the
> proxy requests in my access_log, and I can also
> manually set my browser(Netscape) to proxy through
> www.mydomain.com port 80 and it will successfully
> pull
> up web pages.  I can't get an example from the logs
> right now, but the requests were clear, with '200'
> answers instead of what I'd hope for(403).
> 
> 
> > 
> >   The documentation says that Order Allow,Deny
> would
> > give you a default
> >   of denying access.  Oder Deny,Allow defaults to
> > allowing access.
> > 
> >   But beyond that, why do you 'think' you have an
> > open proxy?
> > 
> > 
> > 
> > 
> >
>
---------------------------------------------------------------------
> > The official User-To-User support forum of the
> > Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html>
> for
> > more info.
> > To unsubscribe, e-mail:
> > users-unsubscribe@httpd.apache.org
> >    "   from the digest:
> > users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail:
> > users-help@httpd.apache.org
> > 
> 
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proxy issue with v.1.3.27 on Solaris 7

Posted by Adam Ardis <aa...@yahoo.com>.

Sorry, I didn't mention that part of it.  I see the
proxy requests in my access_log, and I can also
manually set my browser(Netscape) to proxy through
www.mydomain.com port 80 and it will successfully pull
up web pages.  I can't get an example from the logs
right now, but the requests were clear, with '200'
answers instead of what I'd hope for(403).


> 
>   The documentation says that Order Allow,Deny would
> give you a default
>   of denying access.  Oder Deny,Allow defaults to
> allowing access.
> 
>   But beyond that, why do you 'think' you have an
> open proxy?
> 
> 
> 
> 
>
---------------------------------------------------------------------
> The official User-To-User support forum of the
> Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail:
> users-unsubscribe@httpd.apache.org
>    "   from the digest:
> users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail:
> users-help@httpd.apache.org
> 


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Proxy issue with v.1.3.27 on Solaris 7

Posted by Lee Fellows <lf...@4lane.com>.

On Tue, 2003-04-29 at 15:13, Adam Ardis wrote:

> <IfModule mod_proxy.c>
> ProxyRequests On
> <Directory proxy:*>
>     Order Deny,Allow
>     Deny from all
>     Allow from mydomain.com outsidedomain.com
> 10.128.27.18
> </Directory>
> </IfModule>
> 

  The documentation says that Order Allow,Deny would give you a default
  of denying access.  Oder Deny,Allow defaults to allowing access.

  But beyond that, why do you 'think' you have an open proxy?




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org