[ Team LiB ] |
Recipe 10.1 Securing Your Proxy ServerProblemYou want to enable proxying, but you don't want an open proxy that can be used by just anyone at all. SolutionFor Apache 1.3: <Directory proxy:*> Order deny,allow Deny from all Allow from .yourdomain.com </Directory> For Apache 2.0: <Proxy *> Order Deny,Allow Deny from all Allow from .yourdomain.com </Proxy> DiscussionRunning an open proxy is a concern because it permits users from the Internet to use your proxy server to cover their tracks as they visit web sites. This can be a problem for a variety of reasons. The user is effectively stealing your bandwidth and is certainly part of the problem. However, perhaps more concerning is the fact that you are probably enabling people to circumvent restrictions that have been put in place by their network administrators, or perhaps you are providing users with anonymity while they visit a web site, and as a consequence, these visits appear to come from your network. In these recipes, .yourdomain.com should be replaced by the name of your particular domain, or, better yet, the network address(es) that are on your network. (IP addresses are harder to fake than host and domain names.) For example, you might use, rather than the line appearing in the recipe, a line such as: Allow from 192.168.1 Note that every request for resources that goes through your proxy server generates a logfile entry, containing the address of the client and the resource that they requested through your proxy server. For example, one such request might look like: 192.168.1.5 - - [26/Feb/2003:21:26:13 -0500] "GET http://httpd.apache.org/docs/mod/ mod_proxy.html HTTP/1.1" 200 49890 Your users, if made aware of this fact, will no doubt find it invasive, because this will show all HTTP traffic through the proxy server. It is possible to configure your server not to log these requests. The technique for doing this is to set an environment variable for proxied requests: <Directory proxy:*> SetEnv PROXIED 1 </Directory> Then, in your log directive, specify that these requests are not to be logged: CustomLog /www/logs/access_log common env=!PROXIED See Also |
[ Team LiB ] |