mod_proxy/1070: Proxy Host access limited by Allow/Deny

[Nathan Haley <nh...@ie-e.com>]

>Number:         1070
>Category:       mod_proxy
>Synopsis:       Proxy Host access limited by Allow/Deny
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Thu Aug 28 11:20:02 1997
>Originator:     nhaley@ie-e.com
>Organization:
apache
>Release:        1.2
>Environment:
n/a
>Description:
The current proxy server limits host based on ProxyBlock listed hosts.
It also requires the server to be restarted (minimum SIGHUP) to take effect.
Also, this method only allows the proxy to deny sites.

It would be quite nice if there were to be blended in a standard allow/deny
method for proxy access. 

Of course, this is only a suggestion to be considered... 
The level of change to the code required to implement this is rather high, and 
I don't have anything other than a basic method rigged up here at the moment.
>How-To-Repeat:

>Fix:
Our management wanted to limit all sites, unless specifically approved.
Basically using an Allow/Deny format for limiting proxy use. What we developed
is a rudimentary method for doing this. Our validation method is to compare a
requested site against the denied sites in ProxyBlock directives, then to 
compare the requested site against a list of valid sites (flat text file), if
not found then the request is denied.

The natural outcome is that it is time-intensive to maintain. We have automated 
the process somewhat using CGI scripts, and the requesting of unlisted sites
is performed automatically if the site is not found. About the only way to
really make this a feasible addition is to make a database lookup in a table
with denied and approved sites.

If my minor modifications to the code would be of interest, let me know.
(Mods affect proxy_connect.c, proxy_ftp.c, proxy_http.c%2
>Audit-Trail:
>Unformatted: