On Tue, 2011-04-19 at 12:23 +0200, [email protected] wrote: > Hi, > > I have developed a new feature of refusing access to a customer service based > on IP filtering > > Although the access policy can be implemented directly in the backend, my > company required to avoid the proxy connection to the backend. The production > proxy hosts multiple services, so that a customer should be able to connect to > those without access is denied. > > With this patch, it adds a new directive whose syntax is: > > Deny <IPs separated by a blank space> (see example below) > > Configuration example: > > ListenHTTP > Address 192.168.86.10 > Port 80 > > Service > HostRequire "www.example1.com.*" > BackEnd > Address 192.168.86.30 > Port 80 > End > End > > Service > HostRequire "www.example2.com.*" > Deny "192.168.86.11 192.168.86.12 192.168.86.13" > BackEnd > Address 192.168.86.30 > Port 81 > End > End > End > > > IPClient(192.168.86.12) ------ www.example1.com --------> Proxy ------> > Backend (192.168.86.30:80) > IPClient(192.168.86.12) <----- HTTP 200 OK -------- Proxy <----- > Backend (192.168.86.30:80) > > IPClient(192.168.86.12) ------ www.example2.com ------> Proxy > IPClient(192.168.86.12) <----- HTTP 403 Forbidden ------- Proxy > > Attached the patch and I hope your comments. Thank you very much. > > Greetings > >
Thanks for the patch. Unfortunately we can't very well accept it. The way I see it, this sort of filtering is better done at the firewall level: it's more efficient, and Pound stays simple. I would suggest you consider running your sub-domain on a separate port (perhaps with a redirect from port 80), and filtering the undesirable addresses within the firewall. In passing I would mention that source addresses are less than absolutely reliable, so basing your security on that is questionable. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-32-512 30 19 -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
