>Number: 671 >Category: mod_proxy >Synopsis: server access restrictions apply to proxy requests >Confidential: no >Severity: serious >Priority: medium >Responsible: apache (Apache HTTP Project) >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Jun 4 05:30:01 1997 >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2b10 >Environment: HP-UX atropos B.10.20 A 9000/803 2006896634 two-user license >Description: Directory-based access restrictions also apply to proxy requests, preventing users to access remote unrestricted documents. >How-To-Repeat: On the myhost web server put access restrictions:
<Directory */security> order deny,allow deny from all allow from mycompany.com </Directory> Configure myhost as your web-proxy then access to http://externalhost/projects/security/ even if externalhost does not restrict access, myhost will refuse to serve the requested document >Fix: by inserting if (r->proxyreq) return OK; at the beginning of int check_dir_access (request_rec *r) in mod_access, you will fix this behaviour BUT it also disables <Directory proxy:> directives used to restrict access to the proxy itself %2 >Audit-Trail: >Unformatted:
