Hi to All! I am having trouble with configuring mod_proxy_connect so that I can only "AllowCONNECT port_a ... port_z" where the ports are on *localhost* only. I tried directives from httpd 2.0 manual, but failed. Search in MARC archives/google seems to have no close match, and now I seek your help as I hope some of you might have already encountered such situation. The env: Server version: Apache/2.0.53 Server built: Apr 20 2005 18:46:06 On NetBSD 1.5 The conf part: ProxyRequests On ProxyVia On <Proxy *> //please see below other directives tried and failed Order deny,allow Allow from all </Proxy> Noproxy 192.168.167.106 AllowCONNECT 23 3082 3083 Base problem is that I want to allow connections to ports on localhost only, and NOT to other remote host port, as that is a security hole in my case. Also even if I wanted otherwise, I do not find a way to make (remote-)host-specific AllowCONNECT. Do I have a way? (I generate my conf runtime to match my application port#, and other remote host does not necessarily have same port#.) Here is how I test, and note that I am able to make connection to 192.168.167.113 port 23, which I do not want to happen when trying the proxy on 192.168.167.106 httpd. $ telnet 192.168.167.106 80 Trying 192.168.167.106... Connected to x.int.y.com. Escape character is '^]'. CONNECT 192.168.167.113:23 HTTP/1.1 Host: 192.168.167.113:23 HTTP/1.0 200 Connection Established Proxy-agent: Apache/2.0.53 (Unix) mod_ssl/2.0.53 OpenSSL/0.9.6m DAV/2 MyBoxXXX(YYY) booted Sat Dec 3 02:37:23 PST 2005, up for 82:20:23 ------------I tried these directives-------- ProxyBlock * // connects to none Noproxy // connects to none ProxyVia off //no change <Proxy localhost > //connects to everything <Proxy *> //of course i don't want that, connects to all. The following had same outcome. <Proxy localhost.localdomain> <Proxy localhost.localdomain:80> <Proxy http://localhost.localdomain:80> <ProxyMatch http://localhost*> <ProxyMatch http://localhost.*> <ProxyMatch localhost.localdomain.*> <ProxyMatch localhost.localdomain:80.*> <ProxyMatch http://localhost.localdomain:80.*> I expect some directive/regex to solve this problem with a preference to use "localhost" in regex part, if I have to, instead of using IP address. I really appreciate a simple solution, including any kind response. Regards, Ashis --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|