martin 01/09/27 09:49:16
Modified: htdocs/manual/misc rewriteguide.html
Log:
An added paragraph about how to limit proxying to a given list of
allowed target sites only. (Usually, the reverse case is shown:
limit by client, or block access to certain target sites).
Revision Changes Path
1.12 +73 -1 httpd-docs-1.3/htdocs/manual/misc/rewriteguide.html
Index: rewriteguide.html
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/misc/rewriteguide.html,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- rewriteguide.html 2001/09/27 16:08:43 1.11
+++ rewriteguide.html 2001/09/27 16:49:16 1.12
@@ -1748,6 +1748,78 @@
</DL>
<P>
+<H2>URL-Restricted Proxy</H2>
+<P>
+
+<DL>
+<DT><STRONG>Description:</STRONG>
+<DD>
+How can we restrict the proxy to allow access to a configurable set of
+internet sites only? The site list is extracted from a prepared bookmarks
file.
+
+<P>
+<DT><STRONG>Solution:</STRONG>
+<DD>
+We first have to make sure mod_rewrite is below(!) mod_proxy in the
+<CODE>Configuration</CODE> file when compiling the Apache webserver
+(or in the <CODE>AddModule</CODE> list of <CODE>httpd.conf</CODE>
+in the case of dynamically loaded modules), as it must get called
+<em>_before_</em> mod_proxy.
+<P>
+For simplicity, we generate the site list as a textfile map (but see the
+<a href="../mod/mod_rewrite.html#RewriteMap">mod_rewrite documentation</a>
+for a conversion script to DBM format). A typical Netscape bookmarks file
+can be converted to a list of sites with a shell script like this:
+<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0"
CELLPADDING="5"><TR><TD><PRE>
+#!/bin/sh
+cat ${1:-~/.netscape/bookmarks.html} |
+tr -d '\015' | tr '[A-Z]' '[a-z]' | grep href=\" |
+sed -e '/href="file:/d;' -e '/href="news:/d;' \
+ -e 's|^.*href="[^:]*://\([^:/"]*\).*$|\1 OK|;' \
+ -e '/href="/s|^.*href="\([^:/"]*\).*$|\1 OK|;' |
+sort -u
+</PRE></TD></TR></TABLE>
+
+<P>We redirect the resulting output into a text file called
+<CODE>goodsites.txt</CODE>. It now looks similar to this:
+<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0"
CELLPADDING="5"><TR><TD><PRE>
+www.apache.org OK
+xml.apache.org OK
+jakarta.apache.org OK
+perl.apache.org OK
+...
+</PRE></TD></TR></TABLE>
+
+<P>We reference this site file within the configuration for the
+<CODE>VirtualHost</CODE> which is responsible for serving as a proxy
+(often not port 80, but 81, 8080 or 8008).
+
+<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0"
CELLPADDING="5"><TR><TD><PRE>
+<VirtualHost *:8008>
+ ...
+ RewriteEngine On
+ # Either use the (plaintext) allow list from goodsites.txt
+ RewriteMap ProxyAllow txt:/usr/local/apache/conf/goodsites.txt
+ # Or, for faster access, convert it to a DBM database:
+ #RewriteMap ProxyAllow dbm:/usr/local/apache/conf/goodsites
+ # Match lowercased hostnames
+ RewriteMap lowercase int:tolower
+ # Here we go:
+ # 1) first lowercase the site name and strip off a :port suffix
+ RewriteCond ${lowercase:%{HTTP_HOST}} ^([^:]*).*$
+ # 2) next look it up in the map file.
+ # "%1" refers to the previous regex.
+ # If the result is "OK", proxy access is granted.
+ RewriteCond ${ProxyAllow:%1|DENY} !^OK$ [NC]
+ # 3) Disallow proxy requests if the site was _not_ tagged "OK":
+ RewriteRule ^proxy: - [F]
+ ...
+</VirtualHost>
+</PRE></TD></TR></TABLE>
+
+</DL>
+
+<P>
<H2>Proxy Deny</H2>
<P>
@@ -1762,7 +1834,7 @@
<DD>
We first have to make sure mod_rewrite is below(!) mod_proxy in the
<CODE>Configuration</CODE> file when compiling the Apache webserver. This
way it
-gets called _before_ mod_proxy. Then we configure the following for a
+gets called <em>_before_</em> mod_proxy. Then we configure the following for
a
host-dependend deny...
<P><TABLE BGCOLOR="#E0E5F5" BORDER="0" CELLSPACING="0"
CELLPADDING="5"><TR><TD><PRE>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
