How to configure mod_proxy to block every site except one

Question

I'm trying to set up mod proxy to block all traffic except to a specific domain. I can configure it to block individual domains using the ProxyBlock directive, and I can block everything using ProxyBlock *. Is there a way to block everything but one domain?

Thanks,

-Andrew

score 6 · Accepted Answer · edited May 23 '17 at 12:18

On apache 2.2 you need to have 2 proxy sections.

ProxyRequests On
ProxyVia On

# block all domains except our target
<ProxyMatch ^((?!www\.proxytarget\.com).)*$>
   Order deny,allow
   Deny from all
</ProxyMatch>

# here goes your usual proxy configuration...
<ProxyMatch www\.proxytarget\.com >
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
</ProxyMatch>

On apache 2.4 it would be much easier because you could use the If directive instead of that regexp to invert the match for the domain name.

Note: I got that regexp from Invert match with regexp

Femi · Answer 2 · 2011-05-25T21:42:04.707

1

Try:

ProxyBlock *
ProxyPass <path> <destination>

See if that works.

EDIT: scratch that. I think you have to get creative here with mod_rewrite (the basic reference is at http://httpd.apache.org/docs/current/rewrite/proxy.html):

RewriteCond  %{HTTP_HOST}    =allowtoproxy.com
RewriteRule  ^/(.*)$         http://proxytarget.com/$1 [P]
ProxyPassReverse / http://proxytarget.com/

Try that?

edited May 25 '11 at 21:42

answered May 25 '11 at 19:36

Femi

64,273
8
118
148

Hans · Answer 3 · 2023-03-17T20:35:15.473

Apache 2.4: this worked for me: deny everything first then grant selectively.

ProxyRequests On
ProxyVia Off
AllowCONNECT 443 563 80

<Proxy *>
    Require all denied
</Proxy>

<ProxyMatch "^https?://[a-z]*\.?google\.com.*$">
    Require all granted
</ProxyMatch>

<ProxyMatch "^[a-z]*\.?google\.com:443$">
    Require all granted
</ProxyMatch>

Note the second ProxyMatch (with the :443) is required for HTTPS because else your request gets:

Received HTTP code 403 from proxy after CONNECT

meaning your https went through, but the SSL tunnel is rejected.

This works with Apache listening on :80, using the following request

curl -x localhost:80 "https://www.google.com?q=mod_proxy&language=de"

but not with

curl -x localhost:80 "https://www.bing.com?q=google.com"

which is essential, because otherwise you can circumvent the whitelisting by means of a bogus querystring parameter.

score 0 · Answer 4 · edited Nov 08 '12 at 16:51

0

Try this code:

RewriteEngine On
# Testing URLs
RewriteCond %{HTTP_HOST} !google.co.uk [NC]
RewriteCond %{HTTP_HOST} !bbc.co.uk [NC]
RewriteCond %{HTTP_HOST} !amazon.com [NC]
RewriteCond %{HTTP_HOST} !centos.org [NC]
RewriteCond %{HTTP_HOST} !opensuse.org [NC]
# Url to redirect to if not in allowed list
RewriteRule (.*) http://example.org/notallowed.htm

edited Nov 08 '12 at 16:51

Alessandro Minoccheri

35,521
22
122
171

answered Oct 24 '11 at 14:48

Smock

1

How to configure mod_proxy to block every site except one

4 Answers4

Linked