Date: Sat, 1 Oct 1994 14:57:09 +0100
Message-Id: <9410011341.AA28743@ptsun03.cern.ch>
From: frystyk@ptsun00.cern.ch (Henrik Frystyk Nielsen)
To: Multiple recipients of list <www-proxy@www0.cern.ch>
Subject: Re: security questions about proxy configuration
Hi
> I have some questions about security aspects of the proxy configuration
> of the CERN WWW-server:
>
> -I am able to associate an Protect template with certain URL's, for instance:
>
> Protection PROTNAME {
> GetMask ...
> }
>
> Protect http:* PROTNAME
>
> The GetMask defines the hosts that the server will proxy for. However,
> I want to be able to limit the *destination* hosts: for instance, I do
> not want proxy operation when the *destination* is X, Y, or Z. Am I right
> that the CERN server cannot be configured in this way?
> If so, I consider this to be a major shortcoming.
No - this is possible. You have to use the `no_proxy' environment
variable when you start up the proxy client. Here you can specify
destinations where the proxy should not be consulted. More information
at
http://info.cern.ch/hypertext/WWW/Daemon/User/Proxies/ProxyClients.html
> -I suspect that the "UserId" directive is ignored in the Protection template
> for proxied URL's. Eg
>
> Protection PROTNAME {
> GetMask ...
> UserId xyz
> }
>
> Protect http:* PROTNAME
>
> does not seem to work (ie the proxied operation is run as root, not as xyz.
> Am I right in this?
Hmmm - I don't recall this - but if you say so. I will have a look at it.
-- cheers --
Henrik Frystyk