httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeroen Massar" <jer...@unfix.org>
Subject RE: Fw: Spam postings via Apache to postfix on the same host
Date Sat, 05 Jul 2003 20:57:45 GMT
André Malo [mailto:nd@perlig.de] wrote:

> * Joshua Slive wrote:
> 
> [spam via proxy]
> > One possible thing we could do is simply remove the sample 
> proxy config
> > from our default httpd.conf.  These samples make it too 
> easy for people to
> > activate a proxy without securing it properly.
> 
> +1! Since proxying is not the primary purpose of the httpd I 
> won't miss it
> in the default config (commented or not).

Possibly a 'go look in the docs' type question. But for instance:

>From the docs:
8<-----------------
NoProxy Directive
This directive is only useful for Apache proxy servers within intranets. The
NoProxy directive specifies a list of subnets, IP addresses, hosts and/or
domains, separated by spaces. A request to a host which matches one or more
of these is always served directly, without forwarding to the configured
ProxyRemote proxy server(s).
----------------->8

In that the sentence:
"A request to a host which matches one or more of these is always served
directly"

NoProxy 2001:db8::/32
www.example.com AAAA 2001:db8::1

Is a bit dubious, at least for me. It could mean two things:
 - GET http://www.example.com/ HTTP/1.1
   Would be served 'directly' (from cache, from how?)
 - A client from 2001:db8::/32 sending "GET http://www.example.com/
HTTP/1.1"
   will be served 'directly'.

It could be my english understanding ofcourse, but if somebody
would like to enlighten me ;)

Then there is also:

<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy> 

But that is for _client's_.

We could have something similar with destination's.
Which could also be usefull for spam-ad blocking etc:

<Proxy *>
Order Allow,Deny
Allow to all
Deny to example.com
Deny to 2001:db8::/32
Deny to ::1
Deny to 127.0.0.1
Deny to port 25
</Proxy>

Having that would be perfect ofcourse.

Next in from the document is the AllowCONNECT Directive.
Maybe at least a AllowProxyPort would be helpful, somewhat
like the above ?

Greets,
 Jeroen


Mime
View raw message