[Zope] Security problem in How-To: Caching with mod_proxy
Ragnar Beer
rbeer@uni-goettingen.de
Tue, 22 May 2001 17:51:32 +0200
Howdy!
In the how-to I wrote about caching with mod_proxy
(http://www.zope.org/Members/rbeer/caching) there is a security
problem insofar that if you setup your server just like that it will
be a public proxy that people can use to cover their traces when
accessing other websites. To disable this behavior you could e.g. add
a LocationMatch directive to your httpd.conf that denies every
request that doesn't start with a slash.
<LocationMatch "^[^/]">
Deny from all
</LocationMatch>
To try out the problem and see the effect of the fix configure your
browser to use www.mysite.org port 80 as a proxy (assuming the name
of your site is www.mysite.org). Then try to access a page from your
browser and look at your access_log.
Thanks to Ivo van der Wijk for pointing out the problem!
Cheers,
Ragnar
P.S.: I'll be in Switzerland for a couple of days and probably won't
have internet access till monday. So if anybody replies and waits for
my answer: please be patient ;)