[users@httpd] RE: Mod_proxy https question

[Mario François Jauvin <ma...@mfjassociates.homeip.net>]

Joost,

Your comment provided me with a solution. What I was doing was as follow.  I would deny all access, then I would allow specific sites using config directives like:

<Proxy http://*.microsoft.com>

This would have the effect of only allowing HTTP protocol with sites in the *.microsoft.com domain. Instead of denying all access using the following:

<Proxy *>
  Order deny,allow
  Deny from all
</Proxy>

I now disallow access for HTTP protocol with the following:

<Proxy http://*>
  Order deny,allow
  Deny from all
</Proxy>

This still leaves access to allowing proxy for HTTPS protocol and I can continu limiting specifically what is allowed for the HTTP protocol as before.

Thank you.

-----Original Message-----
From: Joost de Heer [mailto:sanguis@xs4all.nl] 
Sent: August 15, 2005 8:09
To: Mario François Jauvin
Subject: RE: Mod_proxy https question

I've been thinking a bit more:

>>  <Proxy https://*.passport.com/*>
>>   Order deny,allow
>>   Deny from all
>>   Allow from 10.0.0
>> </Proxy>
>
>> This does not allow clients from subnet 10.0.0 to obtain pages from any
>> SSL URL at passport.com.

Because the connection arrives in an encrypted state for the proxy, so
Apache never sees the destination URL.

Joost

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org