Re: [PATCH] ProxyRemote + ProxyBlock oddness

Mon, 03 Oct 2005 11:28:05 -0700 

On 6/15/05, Jeff Trawick <[EMAIL PROTECTED]> wrote:
> On 4/25/05, Eric Covener <[EMAIL PROTECTED]> wrote:
>
> > I've attached a patch that resolves the hostname in the URI and hands
> > that off separately to ap_proxy_checkproxyblock().

> Any comments from the peanut gallery, particularly the proxy portion?

Just revisiting this issue that still appears in 2.1.8...when proxying
by way of another proxy (ProxyRemote), httpd will compare that
ProxyRemote backend address to the list of ProxyBlocks. It should
compare the address in the URI.

<VirtualHost *:8080>
    ProxyRequests on
    ProxyRemote * http://nextproxy:8081
   ProxyBlock blockedhost
</VirtualHost>


When a browser requests something from the server 'blockedhost':

[debug] proxy_util.c(872): proxy: checking remote machine [nextproxy]
against [blockedhost]

Would expect to see a check of blockedhost against blockedhost, as in 2.0

--
Eric Covener
[EMAIL PROTECTED]

Index: proxy/proxy_util.c
===================================================================
--- proxy/proxy_util.c	(revision 159730)
+++ proxy/proxy_util.c	(working copy)
@@ -1743,6 +1743,7 @@
 {
     int server_port;
     apr_status_t err = APR_SUCCESS;
+    apr_sockaddr_t *uri_addr = NULL;
     
     /*
      * Break up the URL to determine the host to connect to
@@ -1806,6 +1807,16 @@
             apr_pool_cleanup_kill(conn->connection->pool, conn, connection_cleanup);
             conn->connection = NULL;
         }
+        if (conf->noproxies->nelts > 0)  {
+            err = apr_sockaddr_info_get(&uri_addr, 
+                                        apr_pstrdup(conn->pool, uri->hostname), APR_UNSPEC, 
+                                        uri->port, 0, 
+                                        conn->pool);
+            if (err != APR_SUCCESS)
+                return ap_proxyerror(r, HTTP_BAD_GATEWAY,
+                                     apr_pstrcat(p, "DNS lookup failure for: ",
+                                     uri->hostname, NULL));
+        }
         err = apr_sockaddr_info_get(&(conn->addr),
                                     conn->hostname, APR_UNSPEC,
                                     conn->port, 0,
@@ -1850,7 +1861,10 @@
         }
     }
     /* check if ProxyBlock directive on this host */
-    if (OK != ap_proxy_checkproxyblock(r, conf, conn->addr)) {
+
+    if (!proxyname) uri_addr = conn->addr;
+
+    if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
         return ap_proxyerror(r, HTTP_FORBIDDEN,
                              "Connect to remote machine blocked");
     }

Reply via email to