summaryrefslogtreecommitdiffstats
path: root/docs/manual/mod/mod_proxy_connect.xml
blob: 6e7a987644e23c2e15d7dd40973f732d816aad73 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<!-- $LastChangedRevision$ -->

<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License.  You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-->

<modulesynopsis metafile="mod_proxy_connect.xml.meta">

<name>mod_proxy_connect</name>
<description><module>mod_proxy</module> extension for
<code>CONNECT</code> request handling</description>
<status>Extension</status>
<sourcefile>mod_proxy_connect.c</sourcefile>
<identifier>proxy_connect_module</identifier>

<summary>
    <p>This module <em>requires</em> the service of <module
    >mod_proxy</module>. It provides support for the <code>CONNECT</code>
    HTTP method. This method is mainly used to tunnel SSL requests
    through proxy servers.</p>

    <p>Thus, in order to get the ability of handling <code>CONNECT</code>
    requests, <module>mod_proxy</module> and
    <module>mod_proxy_connect</module> have to be present in the server.</p>

    <p>CONNECT is also used when the server needs to send an HTTPS request
    through a forward proxy. In this case the server acts as a CONNECT client.
    This functionality is part of <module>mod_proxy</module> and
    <module>mod_proxy_connect</module> is not needed in this case.</p>

    <note type="warning"><title>Warning</title>
      <p>Do not enable proxying until you have <a
      href="mod_proxy.html#access">secured your server</a>. Open proxy
      servers are dangerous both to your network and to the Internet at
      large.</p>
    </note>
</summary>
<seealso><module>mod_proxy</module></seealso>

<section id="notes"><title>Request notes</title>
    <p><module>mod_proxy_connect</module> creates the following request notes for
        logging using the <code>%{VARNAME}n</code> format in
        <directive module="mod_log_config">LogFormat</directive> or
        <directive module="core">ErrorLogFormat</directive>:
    </p>
    <dl>
        <dt>proxy-source-port</dt>
        <dd>The local port used for the connection to the backend server.</dd>
    </dl>

   <p>CONNECT method requests are controlled by the
   <directive module="mod_proxy">Proxy</directive> block
   as any other HTTP request going through.
   SSL connections through a proxy may be filtered explicitly
   by specifying the target host and port, for instance:
   </p>

   <highlight language="config">
&lt;Proxy www.example.com:443&gt;
  Require ip 192.168.0.0/16
&lt;/Proxy&gt;
   </highlight>
</section>

<directivesynopsis>
<name>AllowCONNECT</name>
<description>Ports that are allowed to <code>CONNECT</code> through the
proxy</description>
<syntax>AllowCONNECT <var>port</var>[-<var>port</var>]
[<var>port</var>[-<var>port</var>]] ...</syntax>
<default>AllowCONNECT 443 563</default>
<contextlist><context>server config</context><context>virtual host</context>
</contextlist>
<compatibility>Moved from <module>mod_proxy</module> in Apache 2.3.5.
Port ranges available since Apache 2.3.7.</compatibility>

<usage>
    <p>The <directive>AllowCONNECT</directive> directive specifies a list
    of port numbers or ranges to which the proxy <code>CONNECT</code> method
    may connect.  Today's browsers use this method when a <code>https</code>
    connection is requested and proxy tunneling over HTTP is in effect.</p>

    <p>By default, only the default https port (<code>443</code>) and the
    default snews port (<code>563</code>) are enabled. Use the
    <directive>AllowCONNECT</directive> directive to override this default and
    allow connections to the listed ports only.</p>
</usage>
</directivesynopsis>

</modulesynopsis>