According to Greg Stark:
>
> This isn't entirely on-topic but it's a solution often suggested for mod_perl
> users so I suspect there are other users here being bitten by the same
> problems. In fact the manner in which problems manifest are such that it's
> possible that many mod_perl users who are using mod_rewrite/mod_proxy to run
> a reverse proxy in front of their heavyweight perl servers have a security
> problem and don't even know it.
>
> The problem is that the solution written in the mod_rewrite guide for a
> reverse proxy doesn't work as advertised to block incoming proxy requests.
>
> RewriteRule ^(http|ftp)://.* - [F]
>
> This is supposed to block incoming proxy requests that aren't specifically
> created by the rewrite rules that follow.
>
> The problem is that both mod_rewrite and mod_proxy have changed, and this
> seems to no longer catch the incoming proxy requests. Instead mod_rewrite
> seems to see just the path part of the URI, ie, /foo/bar/baz.pl without the
> http://.../.
Setting
ProxyRequests off
should disable any explict proxy requests from clients. It does
not stop ProxyPass or RewriteRule specified proxying. My server
logs a 302 error and sends a redirect to
http://www.goto.com/d/home/p/digimedia/context/
(interesting - I didn't know where it was redirecting before...).
I do see quite a few of these in my logfiles, mostly trying to
bump up the ad counters on some other sites, I think.
Les Mikesell
[EMAIL PROTECTED]