Proxy Remote behind MS Proxy 2.0

Proxy Remote behind MS Proxy 2.0

Post by Jim Brodkor » Fri, 13 Apr 2001 02:54:28



We are new to apache and are trying to figure out how to allow users access
to only one or a small group of web sites.

We are running apache on a system behind an MS Proxy 2.0 firewall.
When we use proxyremote and allow access to all sites our process works.
(Ex..  ProxyRemote * http://servername:80)

When we allow access to the specific site only we get the "Page cannot be
displayed" error.
(Ex.  ProxyRemote https://securesite.com/go/ord.cgi  http://servername:80)

Does anyone have any ideas what we are doing wrong???

Thanks for the help....

 
 
 

Proxy Remote behind MS Proxy 2.0

Post by Jay » Fri, 13 Apr 2001 00:34:59


Just a theory, but could the site you're trying to get to be framed, and
referencing a different server name than what you have allowed through
with your Proxy ? Secure sites do that quite often.

What happens when you put, say www.yahoo.com in there...do you get
site not found or does it let you through?

Jay


Quote:> We are new to apache and are trying to figure out how to allow users
access
> to only one or a small group of web sites.

> We are running apache on a system behind an MS Proxy 2.0 firewall.
> When we use proxyremote and allow access to all sites our process works.
> (Ex..  ProxyRemote * http://servername:80)

> When we allow access to the specific site only we get the "Page cannot be
> displayed" error.
> (Ex.  ProxyRemote https://securesite.com/go/ord.cgi  http://servername:80)

> Does anyone have any ideas what we are doing wrong???

> Thanks for the help....


 
 
 

Proxy Remote behind MS Proxy 2.0

Post by adam » Fri, 13 Apr 2001 01:29:13



> When we allow access to the specific site only we get the "Page cannot be
> displayed" error.
> (Ex.  ProxyRemote https://securesite.com/go/ord.cgi  http://servername:80)

With https the proxy server doesn't see the actual request.  Proxy's use
something called a "CONNECT" method, because you can't proxy a SSL
connection and successfully negotiate the key exchange.  With the
CONNECT method the proxy just opens a pass thru TCP connection to the
remote IP:port w/out knowing what URL was actually requested.  Apache's
proxy support is fairly basic, you might have more control w/ the M$
product to accomplish something close to what you want.

--
-adam                 | "Be liberal in what you accept, and
Systems Administrator |  conservative in what you send"
Indiana University    |      -Jon Postel
Bloomington, Indiana  |

 
 
 

Proxy Remote behind MS Proxy 2.0

Post by Jim Brodkor » Fri, 13 Apr 2001 07:18:09


Jay,  We tried the www.yahoo.com and it works.  Yahoo shows up, but no links
on the page work. (dir.yahoo.com).
Our apache config is set to:
(ProxyRemote http://www.yahoo.com  http://servername)

Also what do you mean when you say the site we are trying to get to could be
framed??  We're not sure what you mean by framed..


> Just a theory, but could the site you're trying to get to be framed, and
> referencing a different server name than what you have allowed through
> with your Proxy ? Secure sites do that quite often.

> What happens when you put, say www.yahoo.com in there...do you get
> site not found or does it let you through?

> Jay



> > We are new to apache and are trying to figure out how to allow users
> access
> > to only one or a small group of web sites.

> > We are running apache on a system behind an MS Proxy 2.0 firewall.
> > When we use proxyremote and allow access to all sites our process works.
> > (Ex..  ProxyRemote * http://servername:80)

> > When we allow access to the specific site only we get the "Page cannot
be
> > displayed" error.
> > (Ex.  ProxyRemote https://securesite.com/go/ord.cgi

http://servername:80)

- Show quoted text -

Quote:

> > Does anyone have any ideas what we are doing wrong???

> > Thanks for the help....

 
 
 

Proxy Remote behind MS Proxy 2.0

Post by Jay » Fri, 13 Apr 2001 05:32:38


Great!...and not so great!

Great that you could get to www.yahoo.com, and not the "unlisted" server in
MS Proxy.  Proxy
is doing it's job.   What I meant by "framed" was, lets say you allow
http://servername in MS
Proxy.  If that index.html was written using HTML frames, you could
potentially reference
links in those frames to say an HTTPS server, or any other server that is
not the http://servername
you allowed in.  If that were the case, the links wouldn't work, and your
SSL wouldn't
work...however, it would process your index.html, since you told MS Proxy it
was ok to
allow anything in from http://servername ...  I know, I probably just
confused you more.

The point is, if you're selectively allowing users to a few select
sites...keep in mind, all links
on those sites must be pointing to some destination/file on
http://servername , or the user
will not be able to click through it. (Hence why you were able to get to
www.yahoo.com,
and not the links, which reside on a different server name.)

I don't know what your goal is, but I hope that has helped a little.

1 last note, most sites have pesky ads on there site.  Sometimes if the ad
can't
be displayed, (because the ad is on another server that you didn't
specifically allow in),  you'll
get a page not found...even on that main site you told MS Proxy was OK to
let through...
but that depends entirely on design of the site, so you have no control over
that.....other than
to see where the ad is pointing and allow that server through.. NOT a good
idea ;-)

If this is entirely for intranet stuff, it should pretty easy since you'll
only have a few servers to
allow in.  http://servername  https://servername etc.

Jay


> Jay,  We tried the www.yahoo.com and it works.  Yahoo shows up, but no
links
> on the page work. (dir.yahoo.com).
> Our apache config is set to:
> (ProxyRemote http://www.yahoo.com  http://servername)

> Also what do you mean when you say the site we are trying to get to could
be
> framed??  We're not sure what you mean by framed..


> > Just a theory, but could the site you're trying to get to be framed, and
> > referencing a different server name than what you have allowed through
> > with your Proxy ? Secure sites do that quite often.

> > What happens when you put, say www.yahoo.com in there...do you get
> > site not found or does it let you through?

> > Jay



> > > We are new to apache and are trying to figure out how to allow users
> > access
> > > to only one or a small group of web sites.

> > > We are running apache on a system behind an MS Proxy 2.0 firewall.
> > > When we use proxyremote and allow access to all sites our process
works.
> > > (Ex..  ProxyRemote * http://servername:80)

> > > When we allow access to the specific site only we get the "Page cannot
> be
> > > displayed" error.
> > > (Ex.  ProxyRemote https://securesite.com/go/ord.cgi
> http://servername:80)

> > > Does anyone have any ideas what we are doing wrong???

> > > Thanks for the help....