httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: Apache 1.3.27 mod_proxy 'docs' issue
Date Thu, 24 Jul 2003 14:04:06 GMT

On Wed, 23 Jul 2003, William A. Rowe, Jr. wrote:

> At 04:20 PM 7/23/2003, Joshua Slive wrote:
> >Another thought on this issue:
> >
> >Should we include
> >ProxyBlock :25
> >in our recommended configuration?
> >
> >I haven't tested this, but it seems like it should be effective at
> >stopping the http->smtp gateway.  And really, this type of gateway is a
> >bad idea, even on properly secured proxies.
>
> If you look at how restrictive the default AllowConnect directive is, then
> it isn't unreasonable to consider the reporter's orginal suggestion for some
> AllowProxy directive as well.  Your suggestion would eliminate port 25,
> if it behaves as we expect, but that doesn't solve the problem for other ports.

I thought about this, and the idea of an Allow(Forward)Proxy directive
isn't bad, but I don't think I would want it in the default config.  We
would be encouraging a policy where a proxy administrator would say "http
is only allowed on ports 80 and 8080".  And I think most of us agree that
is silly and doesn't do much to help security.

Joshua.

Mime
View raw message