Topic: How to Prevent an Open Proxy Server

[dave-rv]

I have a number of local networks on which users access the internet via a local Apache server acting as a forwarding proxy. All these local proxies are then chained to a single central forwarding proxy from where the internet is accessed.

Users logon the local networks and the central network has no knowledge of the user accounts.

The local proxies are tied down to only accept requests from the local network. My problem is how to lock down the centralised proxy such that it only handles requests from my local proxies. I can’t filter on the basis of the IP address as the local network address maybe dynamic.

The prototype solution relies on the local proxy adding an X-header into the request and the centralised proxy rejecting all requests not containing this header. Whilst this prevents open abuse of the proxy, the solution does feel a bit hacked.

I was wondering whether it is possible to configure the local proxies to act as a client using a form of digest authentication. I know Apache supports server side authentication but I’m struggling to see how it can act as the client.

Any suggestions as to how I lockdown my central proxy such that it only responds to the local proxies are gratefully received.

Many thanks
Dave

[glsmith]

yeah .. but Allow from 192.168 covers the whole thing
192.168.1.20, 192.168.2.255 would both be allowed

You keep saying local so I am assuming you do not mean;

Group One (in house .. truly local)
Group Two (down the road a mile or two on another or even same ISP, read remote)

at which point that allow would not work (since the IP over there would be the WAN) and at which point IP based restrictions would be cumbersome, without opening up proxy to others on same ISP as Group Two.

Just 2 cents

[dave-rv]

Yes, there are a number of NAT'ed LANs, each running its own 192.168 network with a proxy and a single, dynamically assigned public IP address.

The central proxy has a static URL and even a domain name.