httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: Spam Using SMTP "Over" HTTP-Proxy
Date Thu, 04 Sep 2003 16:24:00 GMT

On Tue, 2 Sep 2003, Chris Knight wrote:

> Joshua Slive wrote:
>
> >I think we've done pretty-much all we can.  I wouldn't mind putting a
> >little note on the httpd.apache.org homepage saying "Have you secured your
> >proxy?" and point to the correct docs.
> >
> >
> What about sending a warning message to stderr/error_log upon startup if
> the proxy is not access controlled?

I don't think that is feasible.  There are MANY ways to do access control
in apache.

Sending a message along the lines of "Your server is configured to proxy
requests to arbitrary servers." whenever ProxyRequests is On would be a
possibility.

> ...HTTPS proxying is even worse and could be used to mount a variety of
> TCP attacks.

The AllowConnect directive restricts that.

Joshua.

Mime
View raw message