martin 98/09/08 14:15:57
Modified: src CHANGES
htdocs/manual/mod mod_proxy.html
htdocs/manual new_features_1_3.html
src/modules/proxy mod_proxy.c mod_proxy.h proxy_connect.c
Log:
Sameer posted the AllowCONNECT back in march. I adapted it to default
to ports 443 and 563 (for https:// and snews://) and wrote a description
for the mod_proxy.html document.
Submitted by: Sameer Parekh <[EMAIL PROTECTED]>
Revision Changes Path
1.1047 +5 -0 apache-1.3/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1046
retrieving revision 1.1047
diff -u -r1.1046 -r1.1047
--- CHANGES 1998/09/04 18:15:46 1.1046
+++ CHANGES 1998/09/08 21:15:47 1.1047
@@ -1,5 +1,10 @@
Changes with Apache 1.3.2
+ *) The proxy was refusing to serve CONNECT requests except to
+ port 443 (https://) and 563 (snews://). The new AllowCONNECT
+ directive allows the configuration of the ports to which a
+ CONNECT is allowed. [Sameer Parekh, Martin Kraemer]
+
*) mod_expires will now act on content that is not sent from a file
on disk. Previously it would never add an Expires: header to
any response that did not come from a file on disk; the only
1.45 +43 -0 apache-1.3/htdocs/manual/mod/mod_proxy.html
Index: mod_proxy.html
===================================================================
RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/mod_proxy.html,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- mod_proxy.html 1998/08/16 20:51:52 1.44
+++ mod_proxy.html 1998/09/08 21:15:53 1.45
@@ -45,6 +45,7 @@
<LI><A HREF="#proxypass">ProxyPass</A>
<LI><A HREF="#proxypassreverse">ProxyPassReverse</A>
<LI><A HREF="#proxyblock">ProxyBlock</A>
+<LI><A HREF="#allowconnect">AllowCONNECT</A>
<LI><A HREF="#proxyreceivebuffersize">ProxyReceiveBufferSize</A>
<LI><A HREF="#noproxy">NoProxy</A>
<LI><A HREF="#proxydomain">ProxyDomain</A>
@@ -266,6 +267,48 @@
HREF="mod_rewrite.html#RewriteRule"
><TT>mod_rewrite</TT></A> because its doesn't depend on a corresponding
<SAMP>ProxyPass</SAMP> directive.
+
+<HR>
+
+<H2><A NAME="allowconnect">AllowCONNECT</A></H2>
+<A
+ HREF="directive-dict.html#Syntax"
+ REL="Help"
+><STRONG>Syntax:</STRONG></A> AllowCONNECT <EM><port list></EM><BR>
+<A
+ HREF="directive-dict.html#Default"
+ REL="Help"
+><STRONG>Default:</STRONG></A> <EM><SAMP>AllowCONNECT</SAMP> 443 563</EM><BR>
+<A
+ HREF="directive-dict.html#Context"
+ REL="Help"
+><STRONG>Context:</STRONG></A> server config, virtual host<BR>
+<A
+ HREF="directive-dict.html#Override"
+ REL="Help"
+><STRONG>Override:</STRONG></A> <EM>Not applicable</EM><BR>
+<A
+ HREF="directive-dict.html#Status"
+ REL="Help"
+><STRONG>Status:</STRONG></A> Base<BR>
+<A
+ HREF="directive-dict.html#Module"
+ REL="Help"
+><STRONG>Module:</STRONG></A> mod_proxy<BR>
+<A
+ HREF="directive-dict.html#Compatibility"
+ REL="Help"
+><STRONG>Compatibility:</STRONG></A> <SAMP>AllowCONNECT</SAMP> is only
+available in Apache 1.3.2 and later.<P>
+
+The <SAMP>AllowCONNECT</SAMP> directive specifies a list of port numbers
+to which the proxy <SAMP>CONNECT</SAMP> method may connect.
+Today's browsers use this method when a <EM>https</EM> connection
+is requested and proxy tunneling over <EM>http</EM> is in effect.<BR>
+By default, only the default https port (443) and the default
+snews port (563) are enabled. Use the <SAMP>AllowCONNECT</SAMP>
+directive to overrride this default and allow connections to the
+listed ports only.
<HR>
1.70 +4 -0 apache-1.3/htdocs/manual/new_features_1_3.html
Index: new_features_1_3.html
===================================================================
RCS file: /export/home/cvs/apache-1.3/htdocs/manual/new_features_1_3.html,v
retrieving revision 1.69
retrieving revision 1.70
diff -u -r1.69 -r1.70
--- new_features_1_3.html 1998/09/03 18:05:26 1.69
+++ new_features_1_3.html 1998/09/08 21:15:54 1.70
@@ -228,6 +228,10 @@
authentification. That is slightly more secure than specifying
the authentication information as part of the request URL,
where it could be logged in plaintext by older proxy servers.
+<LI>The new <SAMP>AllowCONNECT</SAMP> directive allows configuration
+ of the port numbers to which the proxy CONNECT method may connect.
+ That allows proxying to https://some.server:8443/ which resulted
+ in an error message prior to Apache version 1.3.2.
<LI>The proxy now supports the HTTP/1.1 "Via:" header as specified in
RFC2068. The new
<A HREF="mod/mod_proxy.html#proxyvia"><CODE>ProxyVia</CODE>
1.62 +22 -0 apache-1.3/src/modules/proxy/mod_proxy.c
Index: mod_proxy.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/mod_proxy.c,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- mod_proxy.c 1998/08/25 09:15:33 1.61
+++ mod_proxy.c 1998/09/08 21:15:55 1.62
@@ -414,6 +414,7 @@
ps->noproxies = ap_make_array(p, 10, sizeof(struct noproxy_entry));
ps->dirconn = ap_make_array(p, 10, sizeof(struct dirconn_entry));
ps->nocaches = ap_make_array(p, 10, sizeof(struct nocache_entry));
+ ps->allowed_connect_ports = ap_make_array(p, 10, sizeof(int));
ps->domain = NULL;
ps->viaopt = via_off; /* initially backward compatible with 1.3.1 */
ps->req = 0;
@@ -534,6 +535,25 @@
return NULL;
}
+/*
+ * Set the ports CONNECT can use
+ */
+static const char *
+ set_allowed_ports(cmd_parms *parms, void *dummy, char *arg)
+{
+ server_rec *s = parms->server;
+ proxy_server_conf *conf =
+ ap_get_module_config(s->module_config, &proxy_module);
+ int *New;
+
+ if (!isdigit(arg[0]))
+ return "AllowCONNECT: port number must be numeric";
+
+ New = ap_push_array(conf->allowed_connect_ports);
+ *New = atoi(arg);
+ return NULL;
+}
+
/* Similar to set_proxy_exclude(), but defining directly connected hosts,
* which should never be accessed via the configured ProxyRemote servers
*/
@@ -827,6 +847,8 @@
"A list of domains, hosts, or subnets to which the proxy will connect
directly"},
{"ProxyDomain", set_proxy_domain, NULL, RSRC_CONF, TAKE1,
"The default intranet domain name (in absence of a domain in the URL)"},
+ {"AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF, ITERATE,
+ "A list of ports which CONNECT may connect to"},
{"CacheRoot", set_cache_root, NULL, RSRC_CONF, TAKE1,
"The directory to store cache files"},
{"CacheSize", set_cache_size, NULL, RSRC_CONF, TAKE1,
1.41 +1 -0 apache-1.3/src/modules/proxy/mod_proxy.h
Index: mod_proxy.h
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/mod_proxy.h,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- mod_proxy.h 1998/08/31 19:51:59 1.40
+++ mod_proxy.h 1998/09/08 21:15:56 1.41
@@ -210,6 +210,7 @@
array_header *noproxies;
array_header *dirconn;
array_header *nocaches;
+ array_header *allowed_connect_ports;
char *domain; /* domain name to use in absence of a domain
name in the request */
int req; /* true if proxy requests are enabled */
enum {
1.32 +25 -6 apache-1.3/src/modules/proxy/proxy_connect.c
Index: proxy_connect.c
===================================================================
RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_connect.c,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- proxy_connect.c 1998/08/16 20:21:27 1.31
+++ proxy_connect.c 1998/09/08 21:15:56 1.32
@@ -97,6 +97,20 @@
* FIXME: no check for r->assbackwards, whatever that is.
*/
+static int
+allowed_port(proxy_server_conf *conf, int port)
+{
+ int i;
+ int *list = (int *) conf->allowed_connect_ports->elts;
+
+ for(i = 0; i < conf->allowed_connect_ports->nelts; i++) {
+ if(port == list[i])
+ return 1;
+ }
+ return 0;
+}
+
+
int ap_proxy_connect_handler(request_rec *r, cache_req *c, char *url,
const char *proxyhost, int proxyport)
{
@@ -137,13 +151,18 @@
return ap_proxyerror(r, "Connect to remote machine blocked");
}
- switch (port) {
- case DEFAULT_HTTPS_PORT:
+ /* Check if it is an allowed port */
+ if (conf->allowed_connect_ports->nelts == 0) {
+ /* Default setting if not overridden by AllowCONNECT */
+ switch (port) {
+ case DEFAULT_HTTPS_PORT:
case DEFAULT_SNEWS_PORT:
- break;
- default:
- return HTTP_SERVICE_UNAVAILABLE;
- }
+ break;
+ default:
+ return HTTP_SERVICE_UNAVAILABLE;
+ }
+ } else if(!allowed_port(conf, port))
+ return HTTP_SERVICE_UNAVAILABLE;
if (proxyhost) {
Explain2("CONNECT to remote proxy %s on port %d", proxyhost, proxyport);
