bugzilla at apache
Mar 22, 2002, 12:49 PM
Post #1 of 1
(278 views)
Permalink
|
|
[Bug 7372] New: - Add ProxyCONNECTAllow directive
|
|
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7372>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7372
Add ProxyCONNECTAllow directive
Summary: Add ProxyCONNECTAllow directive
Product: Apache httpd-1.3
Version: 1.3.23
Platform: All
URL: http://bugs.apache.org/index.cgi/full/10246
OS/Version: All
Status: NEW
Severity: Enhancement
Priority: Other
Component: Modules
AssignedTo: bugs [at] httpd
ReportedBy: david.coffin [at] srs
We want to maintain a list of allowable CONNECT sites via ProxyConnAllow
directives - providing opposite functionality from that provided by ProxyBlock,
only for the CONNECT (SSL, etc) protocol. If not set (default) or set to *,
all CONNECT sessions are allowed.
We are filtering <EMBED> and other html tags after the proxy via other firewall
software to keep from html/browser-based viruses, etc. However, filtering is
not possible with SSL encrypted sessions via CONNECT through the proxy, in
which case we cannot read/filter the content. Rather than turning SSL CONNECT
sessions off (via AllowCONNECT directive), we would like to maintain a list of
allowable sites, rather than a list of known bad sites (via ProxyBlock
directive.) For that, we have devised the ProxyConnAllow directive with a few
minor code additions, described below.
3 diff files (diff from 1.3.22) are cut/pasted in suggested fix block, below
*** mod_proxy-old.h Fri Oct 5 04:19:15 2001
--- mod_proxy.h Mon Mar 18 14:09:30 2002
***************
*** 170,175 ****
--- 170,180 ----
struct in_addr addr;
};
+ struct connallowproxy_entry {
+ char *name;
+ struct in_addr addr;
+ };
+
struct nocache_entry {
char *name;
struct in_addr addr;
***************
*** 209,214 ****
--- 214,220 ----
array_header *aliases;
array_header *raliases;
array_header *noproxies;
+ array_header *conallowproxies;
array_header *dirconn;
array_header *nocaches;
array_header *allowed_connect_ports;
*** mod_proxy-old.c Mon Sep 24 16:14:28 2001
--- mod_proxy.c Mon Mar 18 14:11:24 2002
***************
*** 413,418 ****
--- 413,419 ----
ps->aliases = ap_make_array(p, 10, sizeof(struct proxy_alias));
ps->raliases = ap_make_array(p, 10, sizeof(struct proxy_alias));
ps->noproxies = ap_make_array(p, 10, sizeof(struct noproxy_entry));
+ ps->conallowproxies = ap_make_array(p, 10, sizeof(struct
connallowproxy_entry));
ps->dirconn = ap_make_array(p, 10, sizeof(struct dirconn_entry));
ps->nocaches = ap_make_array(p, 10, sizeof(struct nocache_entry));
ps->allowed_connect_ports = ap_make_array(p, 10, sizeof(int));
***************
*** 458,463 ****
--- 459,465 ----
ps->aliases = ap_append_arrays(p, base->aliases, overrides->aliases);
ps->raliases = ap_append_arrays(p, base->raliases, overrides->raliases);
ps->noproxies = ap_append_arrays(p, base->noproxies, overrides-
>noproxies);
+ ps->conallowproxies = ap_append_arrays(p, base->conallowproxies,
overrides->conallowproxies);
ps->dirconn = ap_append_arrays(p, base->dirconn, overrides->dirconn);
ps->nocaches = ap_append_arrays(p, base->nocaches, overrides->nocaches);
ps->allowed_connect_ports = ap_append_arrays(p, base-
>allowed_connect_ports, overrides->allowed_connect_ports);
***************
*** 583,588 ****
--- 585,621 ----
return NULL;
}
+ static const char *
+ set_proxy_conn_allow(cmd_parms *parms, void *dummy, char *arg)
+ {
+ server_rec *s = parms->server;
+ proxy_server_conf *conf =
+ ap_get_module_config(s->module_config, &proxy_module);
+ struct connallowproxy_entry *new;
+ struct connallowproxy_entry *list = (struct connallowproxy_entry *) conf-
>conallowproxies->elts;
+ struct hostent hp;
+ int found = 0;
+ int i;
+
+ /* Don't duplicate entries */
+ for (i = 0; i < conf->conallowproxies->nelts; i++) {
+ if (strcasecmp(arg, list[i].name) == 0) /* ignore case for host names */
+ found = 1;
+ }
+
+ if (!found) {
+ new = ap_push_array(conf->conallowproxies);
+ new->name = arg;
+ /* Don't do name lookups on things that aren't dotted */
+ if (strchr(arg, '.') != NULL && ap_proxy_host2addr(new->name, &hp) ==
NULL)
+ /*@@@FIXME: This copies only the first of (possibly many) IP addrs
*/
+ memcpy(&new->addr, hp.h_addr, sizeof(struct in_addr));
+ else
+ new->addr.s_addr = 0;
+ }
+ return NULL;
+ }
+
/*
* Set the ports CONNECT can use
*/
***************
*** 901,906 ****
--- 934,941 ----
"a virtual path and a URL for reverse proxy behaviour"},
{"ProxyBlock", set_proxy_exclude, NULL, RSRC_CONF, ITERATE,
"A list of names, hosts or domains to which the proxy will not connect"},
+ {"ProxyConnAllow", set_proxy_conn_allow, NULL, RSRC_CONF, ITERATE,
+ "A list of names, hosts or domains to which the proxy will allow
CONNECT"},
{"ProxyReceiveBufferSize", set_recv_buffer_size, NULL, RSRC_CONF, TAKE1,
"Receive buffer size for outgoing HTTP and FTP connections in bytes"},
{"NoProxy", set_proxy_dirconn, NULL, RSRC_CONF, ITERATE,
*** proxy_connect-old.c Fri Oct 5 04:19:16 2001
--- proxy_connect.c Mon Mar 18 14:28:32 2002
***************
*** 122,132 ****
--- 122,134 ----
char buffer[HUGE_STRING_LEN];
int nbytes, i, j;
fd_set fds;
+ int pcaTst;
void *sconf = r->server->module_config;
proxy_server_conf *conf =
(proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
struct noproxy_entry *npent = (struct noproxy_entry *) conf->noproxies-
>elts;
+ struct connallowproxy_entry *capent = (struct connallowproxy_entry *)
conf->conallowproxies->elts;
memset(&server, '\0', sizeof(server));
server.sin_family = AF_INET;
***************
*** 151,156 ****
--- 153,185 ----
"Connect to remote machine blocked");
}
+ /* check if ProxyConnAllow directive on this host */
+ destaddr.s_addr = ap_inet_addr(host);
+ pcaTst = 0; // 0 = fails to match
+ if (conf->conallowproxies->nelts == 0) {
+ // default, if no entries, allow all
+ // disallow all via AllowCONNECT directive
+ pcaTst = 1; // 1 = matched
+ }
+ else {
+ for (i = 0; i < conf->conallowproxies->nelts; i++) {
+ /* matches if first char of conf entry is *
+ or entry is contained in hostname
+ or address equals address of entry
+ */
+ if( capent[i].name[0] == '*'
+ || (capent[i].name != NULL && strstr(host, capent[i].name) !=
NULL)
+ || destaddr.s_addr == capent[i].addr.s_addr )
+ {
+ pcaTst = 1; // 1 = matched
+ break;
+ }
+ }
+ }
+ if( pcaTst == 0 )
+ return ap_proxyerror(r, HTTP_FORBIDDEN,
+ "Connect to remote machine blocked");
+
/* Check if it is an allowed port */
if (conf->allowed_connect_ports->nelts == 0) {
/* Default setting if not overridden by AllowCONNECT */
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd
|
