Date: Sun, 2 Oct 1994 04:10:10 +0100
Message-Id: <9410020310.AA19284@neon.mcom.com>
From: luotonen@neon.mcom.com (Ari Luotonen)
To: Multiple recipients of list <www-proxy@www0.cern.ch>
Subject: Re: security questions about proxy configuration
> but this is not enough: I want as much generality as possible, for example:
> machine A on subnet1 is allowed to communicate with B on subnet2, but C
> on subnet1 is not allowed to communicate with B on subnet2, and so on.
> In general, I do not want that the existence of the proxy-server lowers
> the level of internal corporate security we had before.
Do something like this:
Protection OnlyHostA {
GetMask A.subnet1.com
}
Protect AllInternalHosts {
GetMask *.subnet*.com
}
Fail http://x-rated.nude.photos/*
Protect http://* AllInternalHosts
Protect http://B.subnet2/* OnlyHostA
PS. If Henrik hasn't broken it in the newest release :-) UserId
directive does have effect; however, uid is changed only after the
request is received and rules translated, just before request is
actually served. You can verify this by running httpd in verbose
mode (-v flag). Normally you can't see it in the ps listing
because the actual service time is so short that the process dies
very fast. If you want the parent process to switch uid right
away, use ParentUserId and ParentGroupId directives in the
beginning of the config file (not inside any Protection setup).
Cheers,
-- Ari Luotonen Mosaic Communications Corp. 650 Castro Street, Suite 500 Mountain View, CA 94041, USA