Folks, please help if you have an answer. Rgds, --- ashis4addrguard-httpd@xxxxxxxxx wrote: > Hi to All! > > I am having trouble with configuring > mod_proxy_connect > so that I can only "AllowCONNECT port_a ... port_z" > where the ports are on *localhost* only. > > I tried directives from httpd 2.0 manual, but > failed. > Search in MARC archives/google seems to have no > close > match, and now I seek your help as I hope some of > you > might have already encountered such situation. > > The env: > Server version: Apache/2.0.53 > Server built: Apr 20 2005 18:46:06 > On NetBSD 1.5 > > The conf part: > > ProxyRequests On > ProxyVia On > <Proxy *> //please see below other directives > tried > and failed > Order deny,allow > Allow from all > </Proxy> > Noproxy 192.168.167.106 > AllowCONNECT 23 3082 3083 > > Base problem is that I want to allow connections to > ports on localhost only, and NOT to other remote > host > port, as that is a security hole in my case. > > Also even if I wanted otherwise, I do not find a way > to make (remote-)host-specific AllowCONNECT. Do I > have > a way? > > (I generate my conf runtime to match my application > port#, and other remote host does not necessarily > have > same port#.) > > Here is how I test, and note that I am able to make > connection to 192.168.167.113 port 23, which I do > not > want to happen when trying the proxy on > 192.168.167.106 httpd. > > $ telnet 192.168.167.106 80 > Trying 192.168.167.106... > Connected to x.int.y.com. > Escape character is '^]'. > CONNECT 192.168.167.113:23 HTTP/1.1 > Host: 192.168.167.113:23 > > HTTP/1.0 200 Connection Established > Proxy-agent: Apache/2.0.53 (Unix) mod_ssl/2.0.53 > OpenSSL/0.9.6m DAV/2 > > > > MyBoxXXX(YYY) booted Sat Dec 3 02:37:23 PST 2005, > up > for 82:20:23 > > ------------I tried these directives-------- > ProxyBlock * // connects to none > Noproxy // connects to none > ProxyVia off //no change > <Proxy localhost > //connects to everything > > <Proxy *> //of course i don't want that, connects > to > all. > > The following had same outcome. > > <Proxy localhost.localdomain> > <Proxy localhost.localdomain:80> > <Proxy http://localhost.localdomain:80> > > <ProxyMatch http://localhost*> > <ProxyMatch http://localhost.*> > <ProxyMatch localhost.localdomain.*> > <ProxyMatch localhost.localdomain:80.*> > <ProxyMatch http://localhost.localdomain:80.*> > > I expect some directive/regex to solve this problem > with a preference to use "localhost" in regex part, > if > I have to, instead of using IP address. I really > appreciate a simple solution, including any kind > response. Regards, > > Ashis > > > --------------------------------------------------------------------- > The official User-To-User support forum of the > Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for > more info. > To unsubscribe, e-mail: > users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: > users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: > users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|