Re: [squid-users] remote 403 error through squid from Merton Campbell Crockett on 2005-09-11 (squid-users)

From: Merton Campbell Crockett <mcc@dont-contact.us>
Date: Sun, 11 Sep 2005 08:29:45 -0700 (PDT)

On Sun, 11 Sep 2005, Henrik Nordstrom wrote:

> On Sat, 10 Sep 2005, Merton Campbell Crockett wrote:
>
> > One element in common with this site and the one in the Bugzilla report
> > mentioned by Henrik Nordstrom is that they both use the Apache Advanced
> > Extranet Server 2.0.48.
>
> Only 2 of 3 so far..
>
> > I would suspect that mod_rewrite is being used instead of mod_proxy to
> > provide access to internal content. Squid is appending a slash and is
> > causing the security check to match the regex ^.*/$. The following will
> > work, as well. :)
>
> Interesting theory, but does not explain the inverse max-age dependency...

No, it does not.

Is there an inverse max-age dependency? The behaviour of the VATLogic and
Mufreesboro web sites occurs regardless of max-age. Both sites return a
403 (Forbidden) status when the URL references DocumentRoot.

The VATLogic site will return a 403 (Forbidden) status for any URL that
explicitly references a directory, i.e. the URL is terminated by a "/".
Neither the directory nor the path to the directory need exist.

Both sites are using the Apache-AdvancedExtranetServer. The name suggests
that this is a variant of the Apache HTTP Server configured to sit on the
organisation's security perimeter and provide access to internal web
content. It, also, suggests that Apache's mod_rewrite module is being
used to implement standard security policies and access control.

There may be an inverse max-age dependency but in these two instances I
suspect that it is a "red-herring". There is a simpler answer. Access is
being denied because the request appears to be attempting to retrieve a
directory listing.

Merton Campbell Crockett

-- 
BEGIN:				vcard
VERSION:			3.0
FN:				Merton Campbell Crockett
ORG:				General Dynamics Advanced Information Systems;
				Intelligence and Exploitation Systems
N:				Crockett;Merton;Campbell
EMAIL;TYPE=internet:		mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref:	+1(805)497-5045
TEL;TYPE=work,fax:		+1(805)497-5050
TEL;TYPE=cell,voice,msg:	+1(805)377-6762
END:				vcard

Received on Sun Sep 11 2005 - 09:37:59 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT