httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ralf S. Engelschall" <...@en.muc.de>
Subject Re: proxy server
Date Tue, 20 Aug 1996 18:36:15 GMT
On 20 Aug 1996 19:12:33 +0200 in en.lists.apache-new-httpd you wrote:

> You may have better luck doing this in your firewall or an upstream router.
> You can limit access *to* the proxy, but you'd have to hack a bit to re-
> strict outgoing access.

> > I have a strange question, can the proxy server be made not to allow 
> > outside the domain connections?  
> > 
> > I need to give about 20 salespeople access to my server, but I don't want
> > them to go out into the world with netscape.  I was thinking of playing 
> > around with the proxy server to see if there is way to disallow access to
> > anything but a list of sites (only one in this case). 
> > 
> > I was wondering if this is even possible, or already working somewhere else.

Hmmmm... I'm totally obfuscated about URL and URI hacking because of
mod_rewrite, so I probably have a "non-sourcecode-hack" for you:

1. Use mod_rewrite and put it _AFTER_ mod_proxy
   in your Configuration script. E.g. really put it at the end of this file.
   This is needed, to give it the chance to do anything before mod_proxy.

2. Place the following directives to before all other Alias, ScripAlias 
   or RewriteRule directives (assuming that your domain is "domain.com" and
   the sales people operate from Subnet 1.2.3.0):

     RewriteEngine  On
     RewriteCond    %{REMOTE_ADDR}  ^1\.2\.3\.[0-9]+$
     RewriteRule    !^http://[^/.]+\.domain.com/.*  -  [F]

   This should block all proxy access to URIs outside your domain for people
   on subnet 1.2.3.0!

As Knuth said: I only proofed it to be correct, not tried it - so, just test
it and if it works, fine. If not, hmmm... then we have encountered the first
URI situation where mod_rewrite couldn't help ;-)

Greetings,
                                        rse@engelschall.com
                                        http://www.engelschall.com/~rse

Mime
View raw message