Attachment #18996 for bug #40746

View | Details | Raw Unified | Return to bug 40746
Collapse All | Expand All

Lines 272-277 Link Here

(-)httpd-2.0.59/docs/manual/mod/directives.html.en.proxyallow (+1 lines)
272	<li><a href="mpm_common.html#pidfile">PidFile</a></li>	272	<li><a href="mpm_common.html#pidfile">PidFile</a></li>
273	<li><a href="mod_echo.html#protocolecho">ProtocolEcho</a></li>	273	<li><a href="mod_echo.html#protocolecho">ProtocolEcho</a></li>
274	<li><a href="mod_proxy.html#proxy"><Proxy></a></li>	274	<li><a href="mod_proxy.html#proxy"><Proxy></a></li>
		275	<li><a href="mod_proxy.html#proxyallow">ProxyAllow</a></li>
275	<li><a href="mod_proxy.html#proxybadheader">ProxyBadHeader</a></li>	276	<li><a href="mod_proxy.html#proxybadheader">ProxyBadHeader</a></li>
276	<li><a href="mod_proxy.html#proxyblock">ProxyBlock</a></li>	277	<li><a href="mod_proxy.html#proxyblock">ProxyBlock</a></li>
277	<li><a href="mod_proxy.html#proxydomain">ProxyDomain</a></li>	278	<li><a href="mod_proxy.html#proxydomain">ProxyDomain</a></li>




<li><img alt="" src="../images/down.gif" /> <a href="#allowconnect">AllowCONNECT</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#noproxy">NoProxy</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#proxy">&lt;Proxy&gt;</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#proxyallow">ProxyAllow</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#proxybadheader">ProxyBadHeader</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#proxyblock">ProxyBlock</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#proxydomain">ProxyDomain</a></li>

   </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="startup" id="startup">Slow Startup</a></h2>
      <p>If you're using the <code class="directive"><a href="#proxyallow">ProxyAllow</a></code> or
      <code class="directive"><a href="#proxyblock">ProxyBlock</a></code> directive, hostnames' IP addresses are looked up
      and cached during startup for later match test. This may take a few
      seconds (or more) depending on the speed with which the hostname lookups
      occur.</p>


</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="ProxyAllow" id="ProxyAllow">ProxyAllow</a> <a name="proxyallow" id="proxyallow">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Words, hosts, or domains that are banned from being
proxied</td></tr>
<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyAllow *|<var>word</var>|<var>host</var>|<var>domain</var>
[<var>word</var>|<var>host</var>|<var>domain</var>] ...</code></td></tr>
<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_proxy</td></tr>
</table>
    <p>The <code class="directive">ProxyAllow</code> directive specifies a list of
    words, hosts and/or domains, separated by spaces.  HTTP, HTTPS, and
    FTP document requests to sites whose names contain matched words,
    hosts or domains are <em>allowed</em> by the proxy server. The proxy
    module will also attempt to determine IP addresses of list items which
    may be hostnames during startup, and cache them for match test as
    well. That may slow down the startup time of the server.</p>

    <div class="example"><h3>Example</h3><p><code>
      ProxyAllow joes-garage.com some-host.co.uk rocky.wotsamattau.edu
    </code></p></div>

    <p><code>rocky.wotsamattau.edu</code> would also be matched if referenced by
    IP address.</p>

    <p>Note that <code>wotsamattau</code> would also be sufficient to match
    <code>wotsamattau.edu</code>.</p>

    <p>Note also that</p>

    <div class="example"><p><code>
      ProxyAllow *
    </code></p></div>

    <p>allows connections to all sites.</p>

    <p>If the <code class="directive">ProxyAllow</code> is not present,
    the default is to allow all sites (except those blocked by
    <a href="#proxyblock"><code class="directive">ProxyBlock</code></a>).</p>

</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="ProxyBadHeader" id="ProxyBadHeader">ProxyBadHeader</a> <a name="proxybadheader" id="proxybadheader">Directive</a></h2>
<table class="directive">
<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines how to handle bad header lines in a

Lines 476-481 Link Here

(-)httpd-2.0.59/docs/manual/mod/quickreference.html.en.proxyallow (+3 lines)
476	of the daemon</td></tr>	476	of the daemon</td></tr>
477	<tr><td><a href="mod_echo.html#protocolecho">ProtocolEcho On\|Off</a></td><td></td><td>sv</td><td>X</td></tr><tr><td class="descr" colspan="4">Turn the echo server on or off</td></tr>	477	<tr><td><a href="mod_echo.html#protocolecho">ProtocolEcho On\|Off</a></td><td></td><td>sv</td><td>X</td></tr><tr><td class="descr" colspan="4">Turn the echo server on or off</td></tr>
478	<tr class="odd"><td><a href="mod_proxy.html#proxy"><Proxy <var>wildcard-url</var>> ...</Proxy></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Container for directives applied to proxied resources</td></tr>	478	<tr class="odd"><td><a href="mod_proxy.html#proxy"><Proxy <var>wildcard-url</var>> ...</Proxy></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Container for directives applied to proxied resources</td></tr>
		479	<tr class="odd"><td><a href="mod_proxy.html#proxyallow">ProxyAllow *\|<var>word</var>\|<var>host</var>\|<var>domain</var>
		480	[<var>word</var>\|<var>host</var>\|<var>domain</var>] ...</a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Words, hosts, or domains that are exclusively allowed to be
		481	proxied</td></tr>
479	<tr><td><a href="mod_proxy.html#proxybadheader">ProxyBadHeader IsError\|Ignore\|StartBody</a></td><td> IsError </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Determines how to handle bad header lines in a	482	<tr><td><a href="mod_proxy.html#proxybadheader">ProxyBadHeader IsError\|Ignore\|StartBody</a></td><td> IsError </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Determines how to handle bad header lines in a
480	response</td></tr>	483	response</td></tr>
481	<tr class="odd"><td><a href="mod_proxy.html#proxyblock">ProxyBlock *\|<var>word</var>\|<var>host</var>\|<var>domain</var>	484	<tr class="odd"><td><a href="mod_proxy.html#proxyblock">ProxyBlock *\|<var>word</var>\|<var>host</var>\|<var>domain</var>




    ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
    ps->raliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
    ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
    ps->onlyproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
    ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry));
    ps->allowed_connect_ports = apr_array_make(p, 10, sizeof(int));
    ps->domain = NULL;

    ps->aliases = apr_array_append(p, base->aliases, overrides->aliases);
    ps->raliases = apr_array_append(p, base->raliases, overrides->raliases);
    ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies);
    ps->onlyproxies = apr_array_append(p, base->onlyproxies, overrides->onlyproxies);
    ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn);
    ps->allowed_connect_ports = apr_array_append(p, base->allowed_connect_ports, overrides->allowed_connect_ports);


    return NULL;
}

static const char *
    set_proxy_include(cmd_parms *parms, void *dummy, const char *arg)
{
    server_rec *s = parms->server;
    proxy_server_conf *conf =
    ap_get_module_config(s->module_config, &proxy_module);
    struct noproxy_entry *new;
    struct noproxy_entry *list = (struct noproxy_entry *) conf->onlyproxies->elts;
    struct apr_sockaddr_t *addr;
    int found = 0;
    int i;

    /* Don't duplicate entries */
    for (i = 0; i < conf->onlyproxies->nelts; i++) {
        if (apr_strnatcasecmp(arg, list[i].name) == 0) { /* ignore case for host names */
            found = 1;
        }
    }

    if (!found) {
        new = apr_array_push(conf->onlyproxies);
        new->name = arg;
        if (APR_SUCCESS == apr_sockaddr_info_get(&addr, new->name, APR_UNSPEC, 0, 0, parms->pool)) {
            new->addr = addr;
        }
        else {
            new->addr = NULL;
        }
    }
    return NULL;
}

/*
 * Set the ports CONNECT can use
 */

     "a virtual path and a URL"),
    AP_INIT_TAKE12("ProxyPassReverse", add_pass_reverse, NULL, RSRC_CONF|ACCESS_CONF,
     "a virtual path and a URL for reverse proxy behaviour"),
    AP_INIT_ITERATE("ProxyAllow", set_proxy_include, NULL, RSRC_CONF,
     "A list of names, hosts or domains to which the proxy may connect"),
    AP_INIT_ITERATE("ProxyBlock", set_proxy_exclude, NULL, RSRC_CONF,
     "A list of names, hosts or domains to which the proxy will not connect"),
    AP_INIT_TAKE1("ProxyReceiveBufferSize", set_recv_buffer_size, NULL, RSRC_CONF,

Lines 121-126 Link Here

(-)httpd-2.0.59/modules/proxy/mod_proxy.h.proxyallow (+2 lines)
121	apr_array_header_t *aliases;	121	apr_array_header_t *aliases;
122	apr_array_header_t *raliases;	122	apr_array_header_t *raliases;
123	apr_array_header_t *noproxies;	123	apr_array_header_t *noproxies;
		124	apr_array_header_t *onlyproxies;
124	apr_array_header_t *dirconn;	125	apr_array_header_t *dirconn;
125	apr_array_header_t *allowed_connect_ports;	126	apr_array_header_t *allowed_connect_ports;
126	const char domain; / domain name to use in absence of a domain name in the request */	127	const char domain; / domain name to use in absence of a domain name in the request */
Lines 240-245 Link Here
240	PROXY_DECLARE(int) ap_proxy_is_domainname(struct dirconn_entry This, apr_pool_t p);	241	PROXY_DECLARE(int) ap_proxy_is_domainname(struct dirconn_entry This, apr_pool_t p);
241	PROXY_DECLARE(int) ap_proxy_is_hostname(struct dirconn_entry This, apr_pool_t p);	242	PROXY_DECLARE(int) ap_proxy_is_hostname(struct dirconn_entry This, apr_pool_t p);
242	PROXY_DECLARE(int) ap_proxy_is_word(struct dirconn_entry This, apr_pool_t p);	243	PROXY_DECLARE(int) ap_proxy_is_word(struct dirconn_entry This, apr_pool_t p);
		244	PROXY_DECLARE(int) ap_proxy_checkproxyallow(request_rec r, proxy_server_conf conf, apr_sockaddr_t *uri_addr);
243	PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec r, proxy_server_conf conf, apr_sockaddr_t *uri_addr);	245	PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec r, proxy_server_conf conf, apr_sockaddr_t *uri_addr);
244	PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec c, request_rec r);	246	PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec c, request_rec r);
245	PROXY_DECLARE(apr_status_t) ap_proxy_string_read(conn_rec c, apr_bucket_brigade bb, char buff, size_t bufflen, int eos);	247	PROXY_DECLARE(apr_status_t) ap_proxy_string_read(conn_rec c, apr_bucket_brigade bb, char buff, size_t bufflen, int eos);

Lines 146-151 Link Here

(-)httpd-2.0.59/modules/proxy/proxy_connect.c.proxyallow (+6 lines)
146	"Connect to remote machine blocked");	146	"Connect to remote machine blocked");
147	}	147	}
148		148
		149	/* check if ProxyAllow directive on this host */
		150	if (OK != ap_proxy_checkproxyallow(r, conf, uri_addr)) {
		151	return ap_proxyerror(r, HTTP_FORBIDDEN,
		152	"Connect to remote machine blocked");
		153	}
		154
149	/* Check if it is an allowed port */	155	/* Check if it is an allowed port */
150	if (conf->allowed_connect_ports->nelts == 0) {	156	if (conf->allowed_connect_ports->nelts == 0) {
151	/* Default setting if not overridden by AllowCONNECT */	157	/* Default setting if not overridden by AllowCONNECT */

Lines 899-904 Link Here

(-)httpd-2.0.59/modules/proxy/proxy_ftp.c.proxyallow (+6 lines)
899	"Connect to remote machine blocked");	899	"Connect to remote machine blocked");
900	}	900	}
901		901
		902	/* check if ProxyAllow directive on this host */
		903	if (OK != ap_proxy_checkproxyallow(r, conf, connect_addr)) {
		904	return ap_proxyerror(r, HTTP_FORBIDDEN,
		905	"Connect to remote machine blocked");
		906	}
		907
902		908
903	/*	909	/*
904	* II: Make the Connection -----------------------	910	* II: Make the Connection -----------------------

Lines 234-239 Link Here

(-)httpd-2.0.59/modules/proxy/proxy_http.c.proxyallow (+5 lines)
234	return ap_proxyerror(r, HTTP_FORBIDDEN,	234	return ap_proxyerror(r, HTTP_FORBIDDEN,
235	"Connect to remote machine blocked");	235	"Connect to remote machine blocked");
236	}	236	}
		237	/* check if ProxyAllow directive on this host */
		238	if (OK != ap_proxy_checkproxyallow(r, conf, uri_addr)) {
		239	return ap_proxyerror(r, HTTP_FORBIDDEN,
		240	"Connect to remote machine blocked");
		241	}
237	return OK;	242	return OK;
238	}	243	}
239		244




    return host != NULL && ap_strstr_c(host, This->name) != NULL;
}

/* checks whether a host in uri_addr matches proxyallow */
PROXY_DECLARE(int) ap_proxy_checkproxyallow(request_rec *r, proxy_server_conf *conf, 
                             apr_sockaddr_t *uri_addr)
{
    int j;
    apr_sockaddr_t * src_uri_addr = uri_addr;
    /* XXX FIXME: conf->onlyproxies->elts is part of an opaque structure */
    for (j = 0; j < conf->onlyproxies->nelts; j++) {
        struct noproxy_entry *opent = (struct noproxy_entry *) conf->onlyproxies->elts;
        struct apr_sockaddr_t *conf_addr = opent[j].addr;
        uri_addr = src_uri_addr;
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                     "proxy: checking remote machine [%s] against [%s]", uri_addr->hostname, opent[j].name);
        if ((opent[j].name && ap_strstr_c(uri_addr->hostname, opent[j].name))
            || opent[j].name[0] == '*') {
            ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
                         "proxy: connect to remote machine %s allowed: name %s matched", uri_addr->hostname, opent[j].name);
            return OK;
        }
        while (conf_addr) {
            while (uri_addr) {
                char *conf_ip;
                char *uri_ip;
                apr_sockaddr_ip_get(&conf_ip, conf_addr);
                apr_sockaddr_ip_get(&uri_ip, uri_addr);
                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                             "proxy: ProxyAllow comparing %s and %s", conf_ip, uri_ip);
                if (!apr_strnatcasecmp(conf_ip, uri_ip)) {
                    ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
                                 "proxy: connect to remote machine %s allowed: IP %s matched", uri_addr->hostname, conf_ip);
                    return OK;
                }
                uri_addr = uri_addr->next;
            }
            conf_addr = conf_addr->next;
        }
    }
    /* Default to OK if no hosts were listed in ProxyAllow */
    return conf->onlyproxies->nelts ? HTTP_FORBIDDEN : OK;
}

/* checks whether a host in uri_addr matches proxyblock */
PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf, 
                             apr_sockaddr_t *uri_addr)

Return to bug 40746

Lines 62-67 Link Here

(-)httpd-2.0.59/docs/manual/mod/mod_proxy.html.en.proxyallow (-1 / +45 lines)
62	<li><img alt="" src="../images/down.gif" /> <a href="#allowconnect">AllowCONNECT</a></li>	62	<li><img alt="" src="../images/down.gif" /> <a href="#allowconnect">AllowCONNECT</a></li>
63	<li><img alt="" src="../images/down.gif" /> <a href="#noproxy">NoProxy</a></li>	63	<li><img alt="" src="../images/down.gif" /> <a href="#noproxy">NoProxy</a></li>
64	<li><img alt="" src="../images/down.gif" /> <a href="#proxy"><Proxy></a></li>	64	<li><img alt="" src="../images/down.gif" /> <a href="#proxy"><Proxy></a></li>
		65	<li><img alt="" src="../images/down.gif" /> <a href="#proxyallow">ProxyAllow</a></li>
65	<li><img alt="" src="../images/down.gif" /> <a href="#proxybadheader">ProxyBadHeader</a></li>	66	<li><img alt="" src="../images/down.gif" /> <a href="#proxybadheader">ProxyBadHeader</a></li>
66	<li><img alt="" src="../images/down.gif" /> <a href="#proxyblock">ProxyBlock</a></li>	67	<li><img alt="" src="../images/down.gif" /> <a href="#proxyblock">ProxyBlock</a></li>
67	<li><img alt="" src="../images/down.gif" /> <a href="#proxydomain">ProxyDomain</a></li>	68	<li><img alt="" src="../images/down.gif" /> <a href="#proxydomain">ProxyDomain</a></li>
Lines 299-305 Link Here
299	</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>	300	</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
300	<div class="section">	301	<div class="section">
301	<h2><a name="startup" id="startup">Slow Startup</a></h2>	302	<h2><a name="startup" id="startup">Slow Startup</a></h2>
302	<p>If you're using the <code class="directive"><a href="#proxyblock">ProxyBlock</a></code> directive, hostnames' IP addresses are looked up	303	<p>If you're using the <code class="directive"><a href="#proxyallow">ProxyAllow</a></code> or
		304	<code class="directive"><a href="#proxyblock">ProxyBlock</a></code> directive, hostnames' IP addresses are looked up
303	and cached during startup for later match test. This may take a few	305	and cached during startup for later match test. This may take a few
304	seconds (or more) depending on the speed with which the hostname lookups	306	seconds (or more) depending on the speed with which the hostname lookups
305	occur.</p>	307	occur.</p>
Lines 537-542 Link Here
537		539
538	</div>	540	</div>
539	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>	541	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
		542	<div class="directive-section"><h2><a name="ProxyAllow" id="ProxyAllow">ProxyAllow</a> <a name="proxyallow" id="proxyallow">Directive</a></h2>
		543	<table class="directive">
		544	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Words, hosts, or domains that are banned from being
		545	proxied</td></tr>
		546	<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyAllow *\|<var>word</var>\|<var>host</var>\|<var>domain</var>
		547	[<var>word</var>\|<var>host</var>\|<var>domain</var>] ...</code></td></tr>
		548	<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
		549	<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
		550	<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_proxy</td></tr>
		551	</table>
		552	<p>The <code class="directive">ProxyAllow</code> directive specifies a list of
		553	words, hosts and/or domains, separated by spaces. HTTP, HTTPS, and
		554	FTP document requests to sites whose names contain matched words,
		555	hosts or domains are <em>allowed</em> by the proxy server. The proxy
		556	module will also attempt to determine IP addresses of list items which
		557	may be hostnames during startup, and cache them for match test as
		558	well. That may slow down the startup time of the server.</p>
		559
		560	<div class="example"><h3>Example</h3><p><code>
		561	ProxyAllow joes-garage.com some-host.co.uk rocky.wotsamattau.edu
		562	</code></p></div>
		563
		564	<p><code>rocky.wotsamattau.edu</code> would also be matched if referenced by
		565	IP address.</p>
		566
		567	<p>Note that <code>wotsamattau</code> would also be sufficient to match
		568	<code>wotsamattau.edu</code>.</p>
		569
		570	<p>Note also that</p>
		571
		572	<div class="example"><p><code>
		573	ProxyAllow *
		574	</code></p></div>
		575
		576	<p>allows connections to all sites.</p>
		577
		578	<p>If the <code class="directive">ProxyAllow</code> is not present,
		579	the default is to allow all sites (except those blocked by
		580	<a href="#proxyblock"><code class="directive">ProxyBlock</code></a>).</p>
		581
		582	</div>
		583	<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
540	<div class="directive-section"><h2><a name="ProxyBadHeader" id="ProxyBadHeader">ProxyBadHeader</a> <a name="proxybadheader" id="proxybadheader">Directive</a></h2>	584	<div class="directive-section"><h2><a name="ProxyBadHeader" id="ProxyBadHeader">ProxyBadHeader</a> <a name="proxybadheader" id="proxybadheader">Directive</a></h2>
541	<table class="directive">	585	<table class="directive">
542	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines how to handle bad header lines in a	586	<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines how to handle bad header lines in a

Lines 946-951 Link Here

(-)httpd-2.0.59/modules/proxy/proxy_util.c.proxyallow (+41 lines)
946	return host != NULL && ap_strstr_c(host, This->name) != NULL;	946	return host != NULL && ap_strstr_c(host, This->name) != NULL;
947	}	947	}
948		948
		949	/* checks whether a host in uri_addr matches proxyallow */
		950	PROXY_DECLARE(int) ap_proxy_checkproxyallow(request_rec r, proxy_server_conf conf,
		951	apr_sockaddr_t *uri_addr)
		952	{
		953	int j;
		954	apr_sockaddr_t * src_uri_addr = uri_addr;
		955	/* XXX FIXME: conf->onlyproxies->elts is part of an opaque structure */
		956	for (j = 0; j < conf->onlyproxies->nelts; j++) {
		957	struct noproxy_entry opent = (struct noproxy_entry ) conf->onlyproxies->elts;
		958	struct apr_sockaddr_t *conf_addr = opent[j].addr;
		959	uri_addr = src_uri_addr;
		960	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
		961	"proxy: checking remote machine [%s] against [%s]", uri_addr->hostname, opent[j].name);
		962	if ((opent[j].name && ap_strstr_c(uri_addr->hostname, opent[j].name))
		963	\|\| opent[j].name[0] == '*') {
		964	ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
		965	"proxy: connect to remote machine %s allowed: name %s matched", uri_addr->hostname, opent[j].name);
		966	return OK;
		967	}
		968	while (conf_addr) {
		969	while (uri_addr) {
		970	char *conf_ip;
		971	char *uri_ip;
		972	apr_sockaddr_ip_get(&conf_ip, conf_addr);
		973	apr_sockaddr_ip_get(&uri_ip, uri_addr);
		974	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
		975	"proxy: ProxyAllow comparing %s and %s", conf_ip, uri_ip);
		976	if (!apr_strnatcasecmp(conf_ip, uri_ip)) {
		977	ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
		978	"proxy: connect to remote machine %s allowed: IP %s matched", uri_addr->hostname, conf_ip);
		979	return OK;
		980	}
		981	uri_addr = uri_addr->next;
		982	}
		983	conf_addr = conf_addr->next;
		984	}
		985	}
		986	/* Default to OK if no hosts were listed in ProxyAllow */
		987	return conf->onlyproxies->nelts ? HTTP_FORBIDDEN : OK;
		988	}
		989
949	/* checks whether a host in uri_addr matches proxyblock */	990	/* checks whether a host in uri_addr matches proxyblock */
950	PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec r, proxy_server_conf conf,	991	PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec r, proxy_server_conf conf,
951	apr_sockaddr_t *uri_addr)	992	apr_sockaddr_t *uri_addr)

Lines 477-482 Link Here

(-)httpd-2.0.59/modules/proxy/mod_proxy.c.proxyallow (+36 lines)
477	ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));	477	ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
478	ps->raliases = apr_array_make(p, 10, sizeof(struct proxy_alias));	478	ps->raliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
479	ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));	479	ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
		480	ps->onlyproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
480	ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry));	481	ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry));
481	ps->allowed_connect_ports = apr_array_make(p, 10, sizeof(int));	482	ps->allowed_connect_ports = apr_array_make(p, 10, sizeof(int));
482	ps->domain = NULL;	483	ps->domain = NULL;
Lines 512-517 Link Here
512	ps->aliases = apr_array_append(p, base->aliases, overrides->aliases);	513	ps->aliases = apr_array_append(p, base->aliases, overrides->aliases);
513	ps->raliases = apr_array_append(p, base->raliases, overrides->raliases);	514	ps->raliases = apr_array_append(p, base->raliases, overrides->raliases);
514	ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies);	515	ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies);
		516	ps->onlyproxies = apr_array_append(p, base->onlyproxies, overrides->onlyproxies);
515	ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn);	517	ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn);
516	ps->allowed_connect_ports = apr_array_append(p, base->allowed_connect_ports, overrides->allowed_connect_ports);	518	ps->allowed_connect_ports = apr_array_append(p, base->allowed_connect_ports, overrides->allowed_connect_ports);
517		519
Lines 709-714 Link Here
709	return NULL;	711	return NULL;
710	}	712	}
711		713
		714	static const char *
		715	set_proxy_include(cmd_parms parms, void dummy, const char *arg)
		716	{
		717	server_rec *s = parms->server;
		718	proxy_server_conf *conf =
		719	ap_get_module_config(s->module_config, &proxy_module);
		720	struct noproxy_entry *new;
		721	struct noproxy_entry list = (struct noproxy_entry ) conf->onlyproxies->elts;
		722	struct apr_sockaddr_t *addr;
		723	int found = 0;
		724	int i;
		725
		726	/* Don't duplicate entries */
		727	for (i = 0; i < conf->onlyproxies->nelts; i++) {
		728	if (apr_strnatcasecmp(arg, list[i].name) == 0) { /* ignore case for host names */
		729	found = 1;
		730	}
		731	}
		732
		733	if (!found) {
		734	new = apr_array_push(conf->onlyproxies);
		735	new->name = arg;
		736	if (APR_SUCCESS == apr_sockaddr_info_get(&addr, new->name, APR_UNSPEC, 0, 0, parms->pool)) {
		737	new->addr = addr;
		738	}
		739	else {
		740	new->addr = NULL;
		741	}
		742	}
		743	return NULL;
		744	}
		745
712	/*	746	/*
713	* Set the ports CONNECT can use	747	* Set the ports CONNECT can use
714	*/	748	*/
Lines 1042-1047 Link Here
1042	"a virtual path and a URL"),	1076	"a virtual path and a URL"),
1043	AP_INIT_TAKE12("ProxyPassReverse", add_pass_reverse, NULL, RSRC_CONF\|ACCESS_CONF,	1077	AP_INIT_TAKE12("ProxyPassReverse", add_pass_reverse, NULL, RSRC_CONF\|ACCESS_CONF,
1044	"a virtual path and a URL for reverse proxy behaviour"),	1078	"a virtual path and a URL for reverse proxy behaviour"),
		1079	AP_INIT_ITERATE("ProxyAllow", set_proxy_include, NULL, RSRC_CONF,
		1080	"A list of names, hosts or domains to which the proxy may connect"),
1045	AP_INIT_ITERATE("ProxyBlock", set_proxy_exclude, NULL, RSRC_CONF,	1081	AP_INIT_ITERATE("ProxyBlock", set_proxy_exclude, NULL, RSRC_CONF,
1046	"A list of names, hosts or domains to which the proxy will not connect"),	1082	"A list of names, hosts or domains to which the proxy will not connect"),
1047	AP_INIT_TAKE1("ProxyReceiveBufferSize", set_recv_buffer_size, NULL, RSRC_CONF,	1083	AP_INIT_TAKE1("ProxyReceiveBufferSize", set_recv_buffer_size, NULL, RSRC_CONF,