On Tue, 2 Sep 2003, Chris Knight wrote: > Joshua Slive wrote: > > >I think we've done pretty-much all we can. I wouldn't mind putting a > >little note on the httpd.apache.org homepage saying "Have you secured your > >proxy?" and point to the correct docs. > > > > > What about sending a warning message to stderr/error_log upon startup if > the proxy is not access controlled?
I don't think that is feasible. There are MANY ways to do access control in apache. Sending a message along the lines of "Your server is configured to proxy requests to arbitrary servers." whenever ProxyRequests is On would be a possibility. > ...HTTPS proxying is even worse and could be used to mount a variety of > TCP attacks. The AllowConnect directive restricts that. Joshua.
