blob: 6e7a987644e23c2e15d7dd40973f732d816aad73 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<!-- $LastChangedRevision$ -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<modulesynopsis metafile="mod_proxy_connect.xml.meta">
<name>mod_proxy_connect</name>
<description><module>mod_proxy</module> extension for
<code>CONNECT</code> request handling</description>
<status>Extension</status>
<sourcefile>mod_proxy_connect.c</sourcefile>
<identifier>proxy_connect_module</identifier>
<summary>
<p>This module <em>requires</em> the service of <module
>mod_proxy</module>. It provides support for the <code>CONNECT</code>
HTTP method. This method is mainly used to tunnel SSL requests
through proxy servers.</p>
<p>Thus, in order to get the ability of handling <code>CONNECT</code>
requests, <module>mod_proxy</module> and
<module>mod_proxy_connect</module> have to be present in the server.</p>
<p>CONNECT is also used when the server needs to send an HTTPS request
through a forward proxy. In this case the server acts as a CONNECT client.
This functionality is part of <module>mod_proxy</module> and
<module>mod_proxy_connect</module> is not needed in this case.</p>
<note type="warning"><title>Warning</title>
<p>Do not enable proxying until you have <a
href="mod_proxy.html#access">secured your server</a>. Open proxy
servers are dangerous both to your network and to the Internet at
large.</p>
</note>
</summary>
<seealso><module>mod_proxy</module></seealso>
<section id="notes"><title>Request notes</title>
<p><module>mod_proxy_connect</module> creates the following request notes for
logging using the <code>%{VARNAME}n</code> format in
<directive module="mod_log_config">LogFormat</directive> or
<directive module="core">ErrorLogFormat</directive>:
</p>
<dl>
<dt>proxy-source-port</dt>
<dd>The local port used for the connection to the backend server.</dd>
</dl>
<p>CONNECT method requests are controlled by the
<directive module="mod_proxy">Proxy</directive> block
as any other HTTP request going through.
SSL connections through a proxy may be filtered explicitly
by specifying the target host and port, for instance:
</p>
<highlight language="config">
<Proxy www.example.com:443>
Require ip 192.168.0.0/16
</Proxy>
</highlight>
</section>
<directivesynopsis>
<name>AllowCONNECT</name>
<description>Ports that are allowed to <code>CONNECT</code> through the
proxy</description>
<syntax>AllowCONNECT <var>port</var>[-<var>port</var>]
[<var>port</var>[-<var>port</var>]] ...</syntax>
<default>AllowCONNECT 443 563</default>
<contextlist><context>server config</context><context>virtual host</context>
</contextlist>
<compatibility>Moved from <module>mod_proxy</module> in Apache 2.3.5.
Port ranges available since Apache 2.3.7.</compatibility>
<usage>
<p>The <directive>AllowCONNECT</directive> directive specifies a list
of port numbers or ranges to which the proxy <code>CONNECT</code> method
may connect. Today's browsers use this method when a <code>https</code>
connection is requested and proxy tunneling over HTTP is in effect.</p>
<p>By default, only the default https port (<code>443</code>) and the
default snews port (<code>563</code>) are enabled. Use the
<directive>AllowCONNECT</directive> directive to override this default and
allow connections to the listed ports only.</p>
</usage>
</directivesynopsis>
</modulesynopsis>
|