Board index Unix Web Servers

Apache with access control vs proxy (Not apache AS proxy)

Apache with access control vs proxy (Not apache AS proxy)

Post by Stefan Huelbroc » Wed, 06 May 1998 04:00:00



Hello,
I have a webserver which should have limited
access from a subnet.
Works fine with an "access from xxx.xxx." directive.
Problem: There are proxies in the subnet.
If someone outside uses a proxy in authorized subnet,
he can access the webserver.

How can I avoid this "feature" if I haven't access
to the setup of the proxy-Server.

Thanks a lot
Stefan

--
----------------------------------------------------
Stefan Huelbrock
Voice (+49/0)7071-2977176, Fax (+49/0)7071-922983
University of Tuebingen, WSI, Computer Architecture
Koestlinstr. 6, D-72074 Tuebingen, Germany

----------------------------------------------------

 
 
 
Top

Apache with access control vs proxy (Not apache AS proxy)

Post by Alan J. Flavel » Wed, 06 May 1998 04:00:00



> I have a webserver which should have limited
> access from a subnet.
> Works fine with an "access from xxx.xxx." directive.
> Problem: There are proxies in the subnet.
> If someone outside uses a proxy in authorized subnet,
> he can access the webserver.

Right, I recognize the problem.

Quote:> How can I avoid this "feature" if I haven't access
> to the setup of the proxy-Server.

Then you'd have no alternative - you'd have to set the web server to
deny access from the proxy server, and make sure that people who want to
access the web server will bypass the proxy (i.e via your
proxy-autoconfig script telling them to access local domains directly,
or by listing the exception domains in their browser configuration)

I don't see any other sure way, given the situation that you describe.
Me, I deny outside access to the proxy, but you say that you can't alter
that.

There's no 100% certain way to recognize a call from a proxy, even if
you wanted to do that (which might be expensive in server resources
anyway).  But, if you _know_ exactly which proxies are involved and what
kind of HTTP headers they send (x-forwarded-for, etc.) then you could
perhaps use Apache's mod_rewrite to slew those callers off to an error
document.

 
 
 
Top

1. Q: Apache 2.x, Proxy Auth / Access Control

Hi,

A question to the developer of the apache:

Are there any plans to include Proxy Authentification (code 407)
into apache 2.0 proxy module?

As far as I read the latest docs, apache only understands the
access control via IP addresses (as apache 1.3 does).

Doing authentification via "require user xxx" seems not to be
supported.

Are there any plans to support this for apache?
Or is it already implemented and I missed something in the docs.

Tnx in advance for any hint on this topic ...

Rainer

2. update a port?

3. Access Control for Apache 1.1.1 Proxy Server?

4. Booting NetBSD/DOS and "Invalid System Disk"

5. controlling access to proxy in apache 1.2.4

6. Windoze under DOSEMU: error loading display.drv

7. Apache vs. CERN httpd in user-based access to proxy - help!

8. Termcap for a Cybernex XL-84

9. Apache: Proxy not logged, other accesses logged?

10. Apache 1.3b6 Proxy: Remote Proxy Authorization

11. Apache proxy to Netscape proxy

12. Apache proxy to another proxy?

13. Apache Proxy: Virtual Proxy Server (??)


All times are UTC
Board index