On 18/01/2014 3:27 p.m., id10t wrote:
> I have a web server that is to run some php scripts behind a reverse proxy
> squid server but I did not want people executing random .php files from the
> many that are on the server. I found in some instructions on the net that
> adding this will prohibit placing various php files on the URL string and
> executing.
>
> *acl outsiders urlpath_regex -i \.php$ *
> *http_access deny outsiders*
>
> It does. very nicely except the scripts seem to not be running from the
> internet side of the proxy.
> If I go to the php server and load up the web site at localhost and the
> scripts are running.
> i.e. The form responds to button pushes and processing occurs as expected.
>
> The php server should just be passing html pages generated by it's scripts
> to the proxy for output right?
>
> If I comment out the *http_access deny outsiders* as before I can run for
> example phpinfo.php from the internet but operate the web site as expected.
>
> Obviously I don't understand something
You dont seem to be understanding the difference between a script and a
resource. Maybe these points will help:
* scripts are inside the web server and only ever executed ("run") by
that server. The proxy has nothing to do with "execution".
* scripts are used to produce a resource.
* the URL stands for Universal *Resource* Locator. No mention of
"script" and likewise the proxy has nothing to do with the script side
of things.
* the URL may tell the web server which of many scripts will produce the
needed resource. But that is the URL, not the proxy.
* the Squid http_access controls whether the client is permitted or
denied access to request the URL from the server. It is completely
irrelevant to Squid how the web server produces the response for that
request, or whether the URL even points at a resource that exists.
Your regex pattern and "deny" action says that any resource whose URL
ends in the letters ".php" is prohibited through the proxy.
Note that there is no inside/outside indication of where the request
came from, and that there is also no allowance made for URL with
?query-string section.
Thusly anyone who can either reach the server without using the proxy,
or alter the URLs such that they do not end in ".php" letters are able
to cause the server to execute the scripts and produce the resources
made by those scripts.
To prevent scripts being accessed and/or run you are best off using
access controls on the web server itself.
Amos
