>Number: 271
>Category: mod_proxy
>Synopsis: Access control for proxy does not work.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Thu Mar 27 08:40:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2b8-dev
>Environment:
SVR4-intel
>Description:
I'm using apache with the mod_proxy module and the following access control(s):
<IfModule mod_proxy.c>
<Directory proxy:*>
order deny,allow
deny from all
allow from 127.0.0.1 139.25.113.10 192.168.123.1
#allow from 139.25.112.104
</Directory>
</IfModule>
Then I try to access http://www.geocities.com/ from the host 139.25.112.104
and get (correctly):
[Thu Mar 27 17:06:54 1997] access to proxy:http://www.geocities.com/ failed for
pgtd0119, reason: Client denied by server configuration
pgtd0119 unknown - [27/Mar/1997:17:16:42 +0100] "GET http://www.geocities.com/
HTTP/1.0" 403 1089
But when I send a second request http://www.geocities.com/foo.bar
then the server passes the request to www.geocities.com, i.e.,
it performs the proxy service that should be disallowed:
pgtd0119 unknown - [27/Mar/1997:17:16:53 +0100] "GET
http://www.geocities.com/foo.bar HTTP/1.0" 404 1064
BTW: It would be nice if proxy (or any) access could be limited on host+path
level, not just host level.
>How-To-Repeat:
See above.
>Fix:
>Audit-Trail:
>Unformatted:
Kraemer <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
X-send-pr-version: 3.2
