>>>>> "Mike" == Mike Benham <moxie@thoughtcrime.org> writes: Mike> People use the CONNECT method from inside a LAN to make SSL/HTTPS Mike> connections through a proxy. I think it makes sense for proxies to Mike> support the method by default, since browsing secure pages is very Mike> common, but it shouldn't be accessable from outside the LAN. Out of the box, Apache-based mod_proxy servers permit CONNECT to port 443 and 563 *only*, but can add additional ports or deny even those ports. In my limited experience, almost *all* other firewall proxy servers I've encountered seem to permit any-host/any-port from inside, either through a bad default configuration, or perhaps bungling by the admins. Kudos to Apache for getting it right again. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
