SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-22-2008, 11:39 AM
| ||||
| ||||
 Re: White-list support in Apache mod_proxy On 6/28/05, Jason Crawford <jasonrcrawford@gmail.com> wrote: > The biggest feature in mod_proxy that is missing (IMO) is the ability > to specify a list of addresses to explicitly allow, and deny > everything else. As far as security goes, that is much more secure > (especially if HTTP CONNECT is enabled) than having a list of sites to > block and allowing the rest (do I really need to say this?). So, here > is a patch that lets you do that. Basically, you would do something > like: > > ProxyBlock !google.com !*.org !*.edu * Correction, looking at the mod_proxy code, and some testing, showed me that *.org and *.edu doesn't really work (as far as I know, even without my mods). It must be !.org, getting rid of the * fixes it. Previously, that allowed all websites, circumventing the last *. I have been thinking about fixing this in mod_proxy's code as well, but that'll come later, if it is something that is wanted in OpenBSD's apache. > > This says, explicitly allow anything having to do with google, all > .org and .edu domains, but block everything else. This follows the > same rules that ProxyBlock did have, but putting a ! in front means > allow, not block, so this shouldn't break ProxyBlock's current working > state in any way. Here is the patch. Any feedback is greatly > appreciated. > > Index: src/modules/proxy/mod_proxy.c > ================================================== ================= > RCS file: /cvs/src/usr.sbin/httpd/src/modules/proxy/mod_proxy.c,v > retrieving revision 1.14 > diff -u -r1.14 mod_proxy.c > --- src/modules/proxy/mod_proxy.c 9 Feb 2005 12:13:10 -0000 1.14 > +++ src/modules/proxy/mod_proxy.c 29 Jun 2005 01:27:19 -0000 > @@ -634,6 +634,7 @@ > struct hostent hp; > int found = 0; > int i; > + char *pname; /* added for dealing with entries that have a ! prefix */ > > /* Don't duplicate entries */ > for (i = 0; i < conf->noproxies->nelts; i++) { > @@ -643,9 +644,12 @@ > > if (!found) { > new = ap_push_array(conf->noproxies); > - new->name = arg; > + pname = new->name = arg; > + /* we don't want to include the ! in the name lookup */ > + if (*pname == '!') > + pname++; > /* Don't do name lookups on things that aren't dotted */ > - if (strchr(arg, '.') != NULL && ap_proxy_host2addr(new->name, > &hp) == NULL) > + if (strchr(arg, '.') != NULL && ap_proxy_host2addr(pname, &hp) == NULL) > /* > * @@@FIXME: This copies only the first of (possibly many) IP > * addrs > Index: src/modules/proxy/proxy_connect.c > ================================================== ================= > RCS file: /cvs/src/usr.sbin/httpd/src/modules/proxy/proxy_connect.c,v > retrieving revision 1.10 > diff -u -r1.10 proxy_connect.c > --- src/modules/proxy/proxy_connect.c 9 Feb 2005 12:13:10 -0000 1.10 > +++ src/modules/proxy/proxy_connect.c 29 Jun 2005 01:27:19 -0000 > @@ -117,6 +117,7 @@ > char buffer[HUGE_STRING_LEN]; > int nbytes, i, j; > fd_set fds; > + char *pname; /* added for dealing with entries that have a ! prefix */ > > void *sconf = r->server->module_config; > proxy_server_conf *conf = > @@ -140,11 +141,19 @@ > /* check if ProxyBlock directive on this host */ > destaddr.s_addr = ap_inet_addr(host); > for (i = 0; i < conf->noproxies->nelts; i++) { > - if ((npent[i].name != NULL && strstr(host, npent[i].name) != NULL) > + pname = npent[i].name; > + /* if ! is in the name, checking doesn't work right, so remove it */ > + if (*pname == '!') > + pname++; > + if ((npent[i].name != NULL && strstr(host, pname) != NULL) > || destaddr.s_addr == npent[i].addr.s_addr > - || npent[i].name[0] == '*') > + || npent[i].name[0] == '*') { > + /* ! means we allow this no matter what, so lets get outa here */ > + if (npent[i].name[0] == '!') > + break; > return ap_proxyerror(r, HTTP_FORBIDDEN, > "Connect to remote machine blocked"); > + } > } > > /* Check if it is an allowed port */ > Index: src/modules/proxy/proxy_ftp.c > ================================================== ================= > RCS file: /cvs/src/usr.sbin/httpd/src/modules/proxy/proxy_ftp.c,v > retrieving revision 1.14 > diff -u -r1.14 proxy_ftp.c > --- src/modules/proxy/proxy_ftp.c 9 Feb 2005 12:13:10 -0000 1.14 > +++ src/modules/proxy/proxy_ftp.c 29 Jun 2005 01:27:19 -0000 > @@ -569,6 +569,7 @@ > NET_SIZE_T clen; > char xfer_type = 'A'; /* after ftp login, the default is ASCII */ > int get_dirlisting = 0; > + char *pname; /* added for dealing with entries that have a ! prefix */ > > void *sconf = r->server->module_config; > proxy_server_conf *conf = > @@ -665,11 +666,19 @@ > /* check if ProxyBlock directive on this host */ > destaddr.s_addr = ap_inet_addr(desthost); > for (i = 0; i < conf->noproxies->nelts; i++) { > + pname = npent[i].name; > + /* if ! is in the name, checking doesn't work right, so remove it */ > + if (*pname == '!') > + pname++; > if (destaddr.s_addr == npent[i].addr.s_addr || > (npent[i].name != NULL && > - (npent[i].name[0] == '*' || strstr(desthost, npent[i].name) > != NULL))) > + (npent[i].name[0] == '*' || strstr(desthost, pname) != NULL))) { > + /* ! means we allow this no matter what, so lets get outa here */ > + if (npent[i].name[0] == '!') > + break; > return ap_proxyerror(r, HTTP_FORBIDDEN, > "Connect to remote machine blocked"); > + } > } > > ap_log_error(APLOG_MARK, APLOG_DEBUG | APLOG_NOERRNO, r->server, > "FTP: connect to %s:%d", desthost, destport); > Index: src/modules/proxy/proxy_http.c > ================================================== ================= > RCS file: /cvs/src/usr.sbin/httpd/src/modules/proxy/proxy_http.c,v > retrieving revision 1.16 > diff -u -r1.16 proxy_http.c > --- src/modules/proxy/proxy_http.c 9 Feb 2005 12:13:10 -0000 1.16 > +++ src/modules/proxy/proxy_http.c 29 Jun 2005 01:27:19 -0000 > @@ -171,6 +171,7 @@ > int result, major, minor; > const char *content_length; > char *peer; > + char *pname; /* added for dealing with entries that have a ! prefix */ > > void *sconf = r->server->module_config; > proxy_server_conf *conf = > @@ -221,11 +222,19 @@ > /* check if ProxyBlock directive on this host */ > destaddr.s_addr = ap_inet_addr(desthost); > for (i = 0; i < conf->noproxies->nelts; i++) { > + pname = npent[i].name; > + /* if ! is in the name, checking doesn't work right, so remove it */ > + if (*pname == '!') > + pname++; > if (destaddr.s_addr == npent[i].addr.s_addr || > (npent[i].name != NULL && > - (npent[i].name[0] == '*' || strstr(desthost, > npent[i].name) != NULL))) > + (npent[i].name[0] == '*' || strstr(desthost, pname) != NULL))) { > + /* ! means we allow this no matter what, so lets get outa here */ > + if(npent[i].name[0] == '!') > + break; > return ap_proxyerror(r, HTTP_FORBIDDEN, > "Connect to remote machine blocked"); > + } > } > > if (proxyhost != NULL) {      |
 |
« mean.awk and median.awk on usr.sbin/traceroute/
|
environment variable to disable EPSV/EPRT on IPv4 connections »
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 05:35 PM.
