Sites listed in the ProxyBlock list should be blocked based on all IP addresses found in the DNS. Now they are blocked only based on the first IP address found in the DNS. For example, site: Name: x.com Addresses: 64.4.241.33, 216.113.188.33, 216.113.188.64, 64.4.241.16 should be blocked if it is tried to access with any one of the above IPs. Currently, it is only blocked with 64.4.241.33 The problem is easy to see in the code in function proxy_util.c:ap_proxy_checkproxyblock(): --------------------BEGIN CODE------------------- 968: while (conf_addr) { 969: while (uri_addr) { 970: char *conf_ip; 971: char *uri_ip; 972: apr_sockaddr_ip_get(&conf_ip, conf_addr); 973: apr_sockaddr_ip_get(&uri_ip, uri_addr); 974: ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, 975: "proxy: ProxyBlock comparing %s and %s", conf_ip, uri_ip); 976: if (!apr_strnatcasecmp(conf_ip, uri_ip)) { 977: ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, 978: "proxy: connect to remote machine %s blocked: IP %s matched", uri_addr->hostname, conf_ip); 979: return HTTP_FORBIDDEN; 980: } 981: uri_addr = uri_addr->next; 982: } 983: conf_addr = conf_addr->next; 984: } --------------------END CODE------------------- The inner loop is exited when uri_addr == NULL. However, uri_addr is not reseted after the loop is exited for the first time so it is not entered again on the next runs of the outer loop. The following patch will solve the problem: --------------------BEGIN PATCH------------------- --- proxy_util_ORIG.c Mon Aug 22 12:22:53 2005 +++ proxy_util.c Mon Oct 10 14:18:12 2005 @@ -966,6 +966,7 @@ return HTTP_FORBIDDEN; } while (conf_addr) { + uri_addr = src_uri_addr; while (uri_addr) { char *conf_ip; char *uri_ip; --------------------END PATCH------------------- To demonstrate the error behaviour, here's a clip of error.log when ProxyBlock has been set to "x.com" and someone tries to access it with IP address 216.113.188.64: -----------BEGIN ORIGINAL ERROR.LOG------------ [Mon Oct 10 13:46:14 2005] [debug] proxy_util.c(975): proxy: checking remote machine [216.113.188.64] against [x.com] [Mon Oct 10 13:46:14 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 64.4.241.33 and 216.113.188.64 -----------END ORIGINAL ERROR.LOG-------------- And here's how it looks after the patch has been applied: -----------BEGIN PATCHED ERROR.LOG------------ [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(975): proxy: checking remote machine [216.113.188.64] against [x.com] [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 64.4.241.33 and 216.113.188.64 [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 216.113.188.33 and 216.113.188.64 [Mon Oct 10 13:50:48 2005] [debug] proxy_util.c(991): proxy: ProxyBlock comparing 216.113.188.64 and 216.113.188.64 [Mon Oct 10 13:50:48 2005] [warn] proxy: connect to remote machine 216.113.188.64 blocked: IP 216.113.188.64 matched -----------END PATCHED ERROR.LOG--------------
Created attachment 16634 [details] Set uri_addr correctly before running the inner loop in ap_proxy_checkproxyblock()
Fixed in trunk in r573911.
Backported to 2.2 in r574942.