martin 98/09/08 14:15:57
Modified: src CHANGES htdocs/manual/mod mod_proxy.html htdocs/manual new_features_1_3.html src/modules/proxy mod_proxy.c mod_proxy.h proxy_connect.c Log: Sameer posted the AllowCONNECT back in march. I adapted it to default to ports 443 and 563 (for https:// and snews://) and wrote a description for the mod_proxy.html document. Submitted by: Sameer Parekh <[EMAIL PROTECTED]> Revision Changes Path 1.1047 +5 -0 apache-1.3/src/CHANGES Index: CHANGES =================================================================== RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v retrieving revision 1.1046 retrieving revision 1.1047 diff -u -r1.1046 -r1.1047 --- CHANGES 1998/09/04 18:15:46 1.1046 +++ CHANGES 1998/09/08 21:15:47 1.1047 @@ -1,5 +1,10 @@ Changes with Apache 1.3.2 + *) The proxy was refusing to serve CONNECT requests except to + port 443 (https://) and 563 (snews://). The new AllowCONNECT + directive allows the configuration of the ports to which a + CONNECT is allowed. [Sameer Parekh, Martin Kraemer] + *) mod_expires will now act on content that is not sent from a file on disk. Previously it would never add an Expires: header to any response that did not come from a file on disk; the only 1.45 +43 -0 apache-1.3/htdocs/manual/mod/mod_proxy.html Index: mod_proxy.html =================================================================== RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/mod_proxy.html,v retrieving revision 1.44 retrieving revision 1.45 diff -u -r1.44 -r1.45 --- mod_proxy.html 1998/08/16 20:51:52 1.44 +++ mod_proxy.html 1998/09/08 21:15:53 1.45 @@ -45,6 +45,7 @@ <LI><A HREF="#proxypass">ProxyPass</A> <LI><A HREF="#proxypassreverse">ProxyPassReverse</A> <LI><A HREF="#proxyblock">ProxyBlock</A> +<LI><A HREF="#allowconnect">AllowCONNECT</A> <LI><A HREF="#proxyreceivebuffersize">ProxyReceiveBufferSize</A> <LI><A HREF="#noproxy">NoProxy</A> <LI><A HREF="#proxydomain">ProxyDomain</A> @@ -266,6 +267,48 @@ HREF="mod_rewrite.html#RewriteRule" ><TT>mod_rewrite</TT></A> because its doesn't depend on a corresponding <SAMP>ProxyPass</SAMP> directive. + +<HR> + +<H2><A NAME="allowconnect">AllowCONNECT</A></H2> +<A + HREF="directive-dict.html#Syntax" + REL="Help" +><STRONG>Syntax:</STRONG></A> AllowCONNECT <EM><port list></EM><BR> +<A + HREF="directive-dict.html#Default" + REL="Help" +><STRONG>Default:</STRONG></A> <EM><SAMP>AllowCONNECT</SAMP> 443 563</EM><BR> +<A + HREF="directive-dict.html#Context" + REL="Help" +><STRONG>Context:</STRONG></A> server config, virtual host<BR> +<A + HREF="directive-dict.html#Override" + REL="Help" +><STRONG>Override:</STRONG></A> <EM>Not applicable</EM><BR> +<A + HREF="directive-dict.html#Status" + REL="Help" +><STRONG>Status:</STRONG></A> Base<BR> +<A + HREF="directive-dict.html#Module" + REL="Help" +><STRONG>Module:</STRONG></A> mod_proxy<BR> +<A + HREF="directive-dict.html#Compatibility" + REL="Help" +><STRONG>Compatibility:</STRONG></A> <SAMP>AllowCONNECT</SAMP> is only +available in Apache 1.3.2 and later.<P> + +The <SAMP>AllowCONNECT</SAMP> directive specifies a list of port numbers +to which the proxy <SAMP>CONNECT</SAMP> method may connect. +Today's browsers use this method when a <EM>https</EM> connection +is requested and proxy tunneling over <EM>http</EM> is in effect.<BR> +By default, only the default https port (443) and the default +snews port (563) are enabled. Use the <SAMP>AllowCONNECT</SAMP> +directive to overrride this default and allow connections to the +listed ports only. <HR> 1.70 +4 -0 apache-1.3/htdocs/manual/new_features_1_3.html Index: new_features_1_3.html =================================================================== RCS file: /export/home/cvs/apache-1.3/htdocs/manual/new_features_1_3.html,v retrieving revision 1.69 retrieving revision 1.70 diff -u -r1.69 -r1.70 --- new_features_1_3.html 1998/09/03 18:05:26 1.69 +++ new_features_1_3.html 1998/09/08 21:15:54 1.70 @@ -228,6 +228,10 @@ authentification. That is slightly more secure than specifying the authentication information as part of the request URL, where it could be logged in plaintext by older proxy servers. +<LI>The new <SAMP>AllowCONNECT</SAMP> directive allows configuration + of the port numbers to which the proxy CONNECT method may connect. + That allows proxying to https://some.server:8443/ which resulted + in an error message prior to Apache version 1.3.2. <LI>The proxy now supports the HTTP/1.1 "Via:" header as specified in RFC2068. The new <A HREF="mod/mod_proxy.html#proxyvia"><CODE>ProxyVia</CODE> 1.62 +22 -0 apache-1.3/src/modules/proxy/mod_proxy.c Index: mod_proxy.c =================================================================== RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/mod_proxy.c,v retrieving revision 1.61 retrieving revision 1.62 diff -u -r1.61 -r1.62 --- mod_proxy.c 1998/08/25 09:15:33 1.61 +++ mod_proxy.c 1998/09/08 21:15:55 1.62 @@ -414,6 +414,7 @@ ps->noproxies = ap_make_array(p, 10, sizeof(struct noproxy_entry)); ps->dirconn = ap_make_array(p, 10, sizeof(struct dirconn_entry)); ps->nocaches = ap_make_array(p, 10, sizeof(struct nocache_entry)); + ps->allowed_connect_ports = ap_make_array(p, 10, sizeof(int)); ps->domain = NULL; ps->viaopt = via_off; /* initially backward compatible with 1.3.1 */ ps->req = 0; @@ -534,6 +535,25 @@ return NULL; } +/* + * Set the ports CONNECT can use + */ +static const char * + set_allowed_ports(cmd_parms *parms, void *dummy, char *arg) +{ + server_rec *s = parms->server; + proxy_server_conf *conf = + ap_get_module_config(s->module_config, &proxy_module); + int *New; + + if (!isdigit(arg[0])) + return "AllowCONNECT: port number must be numeric"; + + New = ap_push_array(conf->allowed_connect_ports); + *New = atoi(arg); + return NULL; +} + /* Similar to set_proxy_exclude(), but defining directly connected hosts, * which should never be accessed via the configured ProxyRemote servers */ @@ -827,6 +847,8 @@ "A list of domains, hosts, or subnets to which the proxy will connect directly"}, {"ProxyDomain", set_proxy_domain, NULL, RSRC_CONF, TAKE1, "The default intranet domain name (in absence of a domain in the URL)"}, + {"AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF, ITERATE, + "A list of ports which CONNECT may connect to"}, {"CacheRoot", set_cache_root, NULL, RSRC_CONF, TAKE1, "The directory to store cache files"}, {"CacheSize", set_cache_size, NULL, RSRC_CONF, TAKE1, 1.41 +1 -0 apache-1.3/src/modules/proxy/mod_proxy.h Index: mod_proxy.h =================================================================== RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/mod_proxy.h,v retrieving revision 1.40 retrieving revision 1.41 diff -u -r1.40 -r1.41 --- mod_proxy.h 1998/08/31 19:51:59 1.40 +++ mod_proxy.h 1998/09/08 21:15:56 1.41 @@ -210,6 +210,7 @@ array_header *noproxies; array_header *dirconn; array_header *nocaches; + array_header *allowed_connect_ports; char *domain; /* domain name to use in absence of a domain name in the request */ int req; /* true if proxy requests are enabled */ enum { 1.32 +25 -6 apache-1.3/src/modules/proxy/proxy_connect.c Index: proxy_connect.c =================================================================== RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_connect.c,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- proxy_connect.c 1998/08/16 20:21:27 1.31 +++ proxy_connect.c 1998/09/08 21:15:56 1.32 @@ -97,6 +97,20 @@ * FIXME: no check for r->assbackwards, whatever that is. */ +static int +allowed_port(proxy_server_conf *conf, int port) +{ + int i; + int *list = (int *) conf->allowed_connect_ports->elts; + + for(i = 0; i < conf->allowed_connect_ports->nelts; i++) { + if(port == list[i]) + return 1; + } + return 0; +} + + int ap_proxy_connect_handler(request_rec *r, cache_req *c, char *url, const char *proxyhost, int proxyport) { @@ -137,13 +151,18 @@ return ap_proxyerror(r, "Connect to remote machine blocked"); } - switch (port) { - case DEFAULT_HTTPS_PORT: + /* Check if it is an allowed port */ + if (conf->allowed_connect_ports->nelts == 0) { + /* Default setting if not overridden by AllowCONNECT */ + switch (port) { + case DEFAULT_HTTPS_PORT: case DEFAULT_SNEWS_PORT: - break; - default: - return HTTP_SERVICE_UNAVAILABLE; - } + break; + default: + return HTTP_SERVICE_UNAVAILABLE; + } + } else if(!allowed_port(conf, port)) + return HTTP_SERVICE_UNAVAILABLE; if (proxyhost) { Explain2("CONNECT to remote proxy %s on port %d", proxyhost, proxyport);