Received: by taz.hyperreal.com (8.8.4/V2.0) id IAA24228;
Thu, 27 Mar 1997 08:40:06 -0800 (PST)
Received: by taz.hyperreal.com (8.8.4/V2.0) id IAA24143;
Thu, 27 Mar 1997 08:40:02 -0800 (PST)
Date: Thu, 27 Mar 1997 08:40:02 -0800 (PST)
Message-Id: <199703271640.IAA24143@taz.hyperreal.com>
From: Martin@hyperreal.com
Reply-To: Martin@hyperreal.com
To: apache-bugdb@apache.org
Cc: apache-bugdb@apache.org
Subject: mod_proxy/271: Access control for proxy does not work.
In-Reply-To: Your message of Thu, 27 Mar 1997 08:37:26 -0800 (PST)
<199703271637.IAA23293@taz.hyperreal.com>
Sender: apache-bugdb-owner@apache.org
Precedence: bulk
>Number: 271
>Category: mod_proxy
>Synopsis: Access control for proxy does not work.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Mar 27 08:40:01 1997
>Originator: Martin.Kraemer@Mch.SNI.De
>Organization:
apache
>Release: 1.2b8-dev
>Environment:
SVR4-intel
>Description:
I'm using apache with the mod_proxy module and the following access control(s):
order deny,allow
deny from all
allow from 127.0.0.1 139.25.113.10 192.168.123.1
#allow from 139.25.112.104
Then I try to access http://www.geocities.com/ from the host 139.25.112.104
and get (correctly):
[Thu Mar 27 17:06:54 1997] access to proxy:http://www.geocities.com/ failed for pgtd0119, reason: Client denied by server configuration
pgtd0119 unknown - [27/Mar/1997:17:16:42 +0100] "GET http://www.geocities.com/ HTTP/1.0" 403 1089
But when I send a second request http://www.geocities.com/foo.bar
then the server passes the request to www.geocities.com, i.e.,
it performs the proxy service that should be disallowed:
pgtd0119 unknown - [27/Mar/1997:17:16:53 +0100] "GET http://www.geocities.com/foo.bar HTTP/1.0" 404 1064
BTW: It would be nice if proxy (or any) access could be limited on host+path
level, not just host level.
>How-To-Repeat:
See above.
>Fix:
>Audit-Trail:
>Unformatted:
Kraemer
Reply-To: Martin.Kraemer@Mch.SNI.De
X-send-pr-version: 3.2