On Sun, 11 Sep 2005, Henrik Nordstrom wrote: > On Sat, 10 Sep 2005, Merton Campbell Crockett wrote: > > > One element in common with this site and the one in the Bugzilla report > > mentioned by Henrik Nordstrom is that they both use the Apache Advanced > > Extranet Server 2.0.48. > > Only 2 of 3 so far.. > > > I would suspect that mod_rewrite is being used instead of mod_proxy to > > provide access to internal content. Squid is appending a slash and is > > causing the security check to match the regex ^.*/$. The following will > > work, as well. :) > > Interesting theory, but does not explain the inverse max-age dependency... No, it does not. Is there an inverse max-age dependency? The behaviour of the VATLogic and Mufreesboro web sites occurs regardless of max-age. Both sites return a 403 (Forbidden) status when the URL references DocumentRoot. The VATLogic site will return a 403 (Forbidden) status for any URL that explicitly references a directory, i.e. the URL is terminated by a "/". Neither the directory nor the path to the directory need exist. Both sites are using the Apache-AdvancedExtranetServer. The name suggests that this is a variant of the Apache HTTP Server configured to sit on the organisation's security perimeter and provide access to internal web content. It, also, suggests that Apache's mod_rewrite module is being used to implement standard security policies and access control. There may be an inverse max-age dependency but in these two instances I suspect that it is a "red-herring". There is a simpler answer. Access is being denied because the request appears to be attempting to retrieve a directory listing. Merton Campbell Crockett -- BEGIN: vcard VERSION: 3.0 FN: Merton Campbell Crockett ORG: General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet: mcc@xxxxxxxxxxxxxxx TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg: +1(805)377-6762 END: vcard
