Via a Proxy: able to see url's that are controlled by acceess.conf

[djr111]

Hi,

We have an issue,

In our access.conf file, we have.

<Directory /mydata/mypath>
Order Deny,Allow
Deny from all
Allow from 1.2.3.4 foo.bar
</Directory>

This works great, the access.conf file allows and denies as requested, BUT, we just found out if we go to a free proxy server site on the internet and plug in the url associated with this config, it displays the contents, no questions asked...NOT GOOD.

I am guessing that, normally the access.conf checks the receivers ip or domain name against what it has listed in the file, but a proxy is anonymous, thus it is not showing that information and is freely able to access the websites in question.

My question is, what do I have to add to my configuration to stop this from happening, or is it a bigger problem, if so, any help would be appreciated.

 

[RobJordan]

I found this on Google search.

You can shut those proxy requests down with something like this:
# Restrict HTTP methods
RewriteCond %{REQUEST_METHOD} !^(GET¦HEAD¦OPTIONS¦POST)$
RewriteRule .* - [F]
# block proxy requests
RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)\ /?http:// [NC]
RewriteCond %{THE_REQUEST} !^(GET¦HEAD¦POST)\ /?

http://(www\.)?yourdomain\.com/

RewriteCond %{THE_REQUEST} !^(GET¦HEAD¦POST)\ /?

http://192\.168\.0\.37/

RewriteRule .* - [F]

substituting your hostname and IP address in there and escaping the periods with a preceding "\" as shown.

Rob

Rob Jordan

http://www.linkedin.com/in/robjordan