martin      98/09/08 14:15:57

  Modified:    src      CHANGES
               htdocs/manual/mod mod_proxy.html
               htdocs/manual new_features_1_3.html
               src/modules/proxy mod_proxy.c mod_proxy.h proxy_connect.c
  Log:
  Sameer posted the AllowCONNECT back in march. I adapted it to default
  to ports 443 and 563 (for https:// and snews://) and wrote a description
  for the mod_proxy.html document.
  
  Submitted by: Sameer Parekh <[EMAIL PROTECTED]>
  
  Revision  Changes    Path
  1.1047    +5 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1046
  retrieving revision 1.1047
  diff -u -r1.1046 -r1.1047
  --- CHANGES   1998/09/04 18:15:46     1.1046
  +++ CHANGES   1998/09/08 21:15:47     1.1047
  @@ -1,5 +1,10 @@
   Changes with Apache 1.3.2
   
  +  *) The proxy was refusing to serve CONNECT requests except to
  +     port 443 (https://) and 563 (snews://). The new AllowCONNECT
  +     directive allows the configuration of the ports to which a
  +     CONNECT is allowed.  [Sameer Parekh, Martin Kraemer]
  +
     *) mod_expires will now act on content that is not sent from a file
        on disk.  Previously it would never add an Expires: header to
        any response that did not come from a file on disk; the only
  
  
  
  1.45      +43 -0     apache-1.3/htdocs/manual/mod/mod_proxy.html
  
  Index: mod_proxy.html
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/mod_proxy.html,v
  retrieving revision 1.44
  retrieving revision 1.45
  diff -u -r1.44 -r1.45
  --- mod_proxy.html    1998/08/16 20:51:52     1.44
  +++ mod_proxy.html    1998/09/08 21:15:53     1.45
  @@ -45,6 +45,7 @@
   <LI><A HREF="#proxypass">ProxyPass</A>
   <LI><A HREF="#proxypassreverse">ProxyPassReverse</A>
   <LI><A HREF="#proxyblock">ProxyBlock</A>
  +<LI><A HREF="#allowconnect">AllowCONNECT</A>
   <LI><A HREF="#proxyreceivebuffersize">ProxyReceiveBufferSize</A>
   <LI><A HREF="#noproxy">NoProxy</A>
   <LI><A HREF="#proxydomain">ProxyDomain</A>
  @@ -266,6 +267,48 @@
    HREF="mod_rewrite.html#RewriteRule"
   ><TT>mod_rewrite</TT></A> because its doesn't depend on a corresponding
   <SAMP>ProxyPass</SAMP> directive.
  +
  +<HR>
  +
  +<H2><A NAME="allowconnect">AllowCONNECT</A></H2>
  +<A
  + HREF="directive-dict.html#Syntax"
  + REL="Help"
  +><STRONG>Syntax:</STRONG></A> AllowCONNECT <EM>&lt;port list&gt;</EM><BR>
  +<A
  + HREF="directive-dict.html#Default"
  + REL="Help"
  +><STRONG>Default:</STRONG></A> <EM><SAMP>AllowCONNECT</SAMP> 443 563</EM><BR>
  +<A
  + HREF="directive-dict.html#Context"
  + REL="Help"
  +><STRONG>Context:</STRONG></A> server config, virtual host<BR>
  +<A
  + HREF="directive-dict.html#Override"
  + REL="Help"
  +><STRONG>Override:</STRONG></A> <EM>Not applicable</EM><BR>
  +<A
  + HREF="directive-dict.html#Status"
  + REL="Help"
  +><STRONG>Status:</STRONG></A> Base<BR>
  +<A
  + HREF="directive-dict.html#Module"
  + REL="Help"
  +><STRONG>Module:</STRONG></A> mod_proxy<BR>
  +<A
  + HREF="directive-dict.html#Compatibility"
  + REL="Help"
  +><STRONG>Compatibility:</STRONG></A> <SAMP>AllowCONNECT</SAMP> is only
  +available in Apache 1.3.2 and later.<P>
  +
  +The <SAMP>AllowCONNECT</SAMP> directive specifies a list of port numbers
  +to which the proxy <SAMP>CONNECT</SAMP> method may connect.
  +Today's browsers use this method when a <EM>https</EM> connection
  +is requested and proxy tunneling over <EM>http</EM> is in effect.<BR>
  +By default, only the default https port (443) and the default
  +snews port (563) are enabled. Use the <SAMP>AllowCONNECT</SAMP>
  +directive to overrride this default and allow connections to the
  +listed ports only.
   
   <HR>
   
  
  
  
  1.70      +4 -0      apache-1.3/htdocs/manual/new_features_1_3.html
  
  Index: new_features_1_3.html
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/htdocs/manual/new_features_1_3.html,v
  retrieving revision 1.69
  retrieving revision 1.70
  diff -u -r1.69 -r1.70
  --- new_features_1_3.html     1998/09/03 18:05:26     1.69
  +++ new_features_1_3.html     1998/09/08 21:15:54     1.70
  @@ -228,6 +228,10 @@
       authentification. That is slightly more secure than specifying
       the authentication information as part of the request URL,
       where it could be logged in plaintext by older proxy servers.
  +<LI>The new <SAMP>AllowCONNECT</SAMP> directive allows configuration
  +    of the port numbers to which the proxy CONNECT method may connect.
  +    That allows proxying to https://some.server:8443/ which resulted
  +    in an error message prior to Apache version 1.3.2.
   <LI>The proxy now supports the HTTP/1.1 "Via:" header as specified in
       RFC2068. The new
       <A HREF="mod/mod_proxy.html#proxyvia"><CODE>ProxyVia</CODE>
  
  
  
  1.62      +22 -0     apache-1.3/src/modules/proxy/mod_proxy.c
  
  Index: mod_proxy.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/mod_proxy.c,v
  retrieving revision 1.61
  retrieving revision 1.62
  diff -u -r1.61 -r1.62
  --- mod_proxy.c       1998/08/25 09:15:33     1.61
  +++ mod_proxy.c       1998/09/08 21:15:55     1.62
  @@ -414,6 +414,7 @@
       ps->noproxies = ap_make_array(p, 10, sizeof(struct noproxy_entry));
       ps->dirconn = ap_make_array(p, 10, sizeof(struct dirconn_entry));
       ps->nocaches = ap_make_array(p, 10, sizeof(struct nocache_entry));
  +    ps->allowed_connect_ports = ap_make_array(p, 10, sizeof(int));
       ps->domain = NULL;
       ps->viaopt = via_off; /* initially backward compatible with 1.3.1 */
       ps->req = 0;
  @@ -534,6 +535,25 @@
       return NULL;
   }
   
  +/*
  + * Set the ports CONNECT can use
  + */
  +static const char *
  +    set_allowed_ports(cmd_parms *parms, void *dummy, char *arg)
  +{
  +    server_rec *s = parms->server;
  +    proxy_server_conf *conf =
  +      ap_get_module_config(s->module_config, &proxy_module);
  +    int *New;
  +
  +    if (!isdigit(arg[0]))
  +     return "AllowCONNECT: port number must be numeric";
  +
  +    New = ap_push_array(conf->allowed_connect_ports);
  +    *New = atoi(arg);
  +    return NULL;
  +}
  +
   /* Similar to set_proxy_exclude(), but defining directly connected hosts,
    * which should never be accessed via the configured ProxyRemote servers
    */
  @@ -827,6 +847,8 @@
        "A list of domains, hosts, or subnets to which the proxy will connect 
directly"},
       {"ProxyDomain", set_proxy_domain, NULL, RSRC_CONF, TAKE1,
        "The default intranet domain name (in absence of a domain in the URL)"},
  +    {"AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF, ITERATE,
  +     "A list of ports which CONNECT may connect to"},
       {"CacheRoot", set_cache_root, NULL, RSRC_CONF, TAKE1,
        "The directory to store cache files"},
       {"CacheSize", set_cache_size, NULL, RSRC_CONF, TAKE1,
  
  
  
  1.41      +1 -0      apache-1.3/src/modules/proxy/mod_proxy.h
  
  Index: mod_proxy.h
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/mod_proxy.h,v
  retrieving revision 1.40
  retrieving revision 1.41
  diff -u -r1.40 -r1.41
  --- mod_proxy.h       1998/08/31 19:51:59     1.40
  +++ mod_proxy.h       1998/09/08 21:15:56     1.41
  @@ -210,6 +210,7 @@
       array_header *noproxies;
       array_header *dirconn;
       array_header *nocaches;
  +    array_header *allowed_connect_ports;
       char *domain;            /* domain name to use in absence of a domain 
name in the request */
       int req;                 /* true if proxy requests are enabled */
       enum {
  
  
  
  1.32      +25 -6     apache-1.3/src/modules/proxy/proxy_connect.c
  
  Index: proxy_connect.c
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_connect.c,v
  retrieving revision 1.31
  retrieving revision 1.32
  diff -u -r1.31 -r1.32
  --- proxy_connect.c   1998/08/16 20:21:27     1.31
  +++ proxy_connect.c   1998/09/08 21:15:56     1.32
  @@ -97,6 +97,20 @@
    * FIXME: no check for r->assbackwards, whatever that is.
    */
   
  +static int
  +allowed_port(proxy_server_conf *conf, int port)
  +{
  +    int i;
  +    int *list = (int *) conf->allowed_connect_ports->elts;
  +
  +    for(i = 0; i < conf->allowed_connect_ports->nelts; i++) {
  +     if(port == list[i])
  +         return 1;
  +    }
  +    return 0;
  +}
  +
  +
   int ap_proxy_connect_handler(request_rec *r, cache_req *c, char *url,
                          const char *proxyhost, int proxyport)
   {
  @@ -137,13 +151,18 @@
            return ap_proxyerror(r, "Connect to remote machine blocked");
       }
   
  -    switch (port) {
  -     case DEFAULT_HTTPS_PORT:
  +    /* Check if it is an allowed port */
  +    if (conf->allowed_connect_ports->nelts == 0) {
  +     /* Default setting if not overridden by AllowCONNECT */
  +     switch (port) {
  +         case DEFAULT_HTTPS_PORT:
            case DEFAULT_SNEWS_PORT:
  -         break;
  -     default:
  -         return HTTP_SERVICE_UNAVAILABLE;
  -    }
  +             break;
  +         default:
  +             return HTTP_SERVICE_UNAVAILABLE;
  +     }
  +    } else if(!allowed_port(conf, port))
  +     return HTTP_SERVICE_UNAVAILABLE;
   
       if (proxyhost) {
        Explain2("CONNECT to remote proxy %s on port %d", proxyhost, proxyport);
  
  
  

Reply via email to