----- "Hannes" <hannes.flo...@gmx.li> wrote: > Hi HTTPD Users, > > I'm using Apache 2.2 on Debian (Kernel 2.6) as a proxy for my web > applications . > > So far I got it all working, including SSL and stuff. But when I had a > > look at the access.log, I saw hundreds of (mostly GET) requests to URL > > which are not mine. > > I'm not really sure what this means, but I think some bots are using > the > proxy to access other sites. Can that be? > > I turned > > ProxyRequests Off > > <Proxy *> > Order deny,allow > Allow from all > </Proxy> > > > With Allow/Deny from all, I can only restrict who can request the > proxy, > but I need to restrict the proxy to only forward request to > localhost. > > Do I've to do that with iptables or is it possible within Apache?
First and foremost: Are you talking about a reverse proxy, or a forward proxy? If we're talking about a reverse proxy then: * ProxyRequests Off is a good thing, and the way it should be. * in this case the GET requests to foreign URLs should result in 403s * <Proxy *> Allow from all -- is the way it should be, unless you only want a specific target group to access it. If we're talking about a forward proxy. * ProxyRequests needs to be On -- since we're actually a forward proxy * In this case, the GET requests to foreign URLs will result in 100, 20x, 30x results. * You should limit your forward proxy's visibility via <Proxy *> allow from 127.0.0 The problem with limiting your server on IP level on the firewall is that it's hard to distinguish between a customer doing a valid request and one doing a proxy request to a foreign URL -- on IP level, that is. > thanks! > Hannes > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
