[Techtalk] access to intranet over ssh?

Almut Behrens almut-behrens at gmx.net
Wed Oct 27 17:53:42 EST 2004


On Sun, Oct 24, 2004 at 02:17:44AM +0100, Caroline Johnston wrote:
> 
> ServerRoot "/home/bsm/johnston/apache2proxy"
> Listen 8008
> User nobody
> Group nobody
> ProxyRequests On
> ServerName bsmlx17.biochem.ucl.ac.uk:8008
> 
> Is this config safe?

looks fine to me :)
(at least, under your specific circumstances...)


> I read that it's important to be careful with forward 
> proxies cos people can use them to hide their own IP addresses, but I 
> figured it didn't matter in this case cos you can't get at the proxy from 
> outside anyway.

That's right.  Nothing to worry about, if only you (or other trusted
users) can make use of the forward proxying functionality. This is
normally the case, when the proxy is behind a properly configured
firewall.

What you don't want are open proxies accessible to the public. In this
case, you'd need to configure one or the other form of access control,
e.g. IP-based, or via user authentication... (any such configuration
would have to go in a <Directory proxy:*> ... </Directory> directive).

Accidentally misconfigured proxies (intended to be a reverse proxy,
but setup to also act as a forward proxy), as part of a publicly
accessible webserver, is the most typical problem scenario...  but
I don't think that any such concern would apply to what you set up ;)

Almut



More information about the Techtalk mailing list