Restricted Proxy with Apache
A restricted proxy server, one that only allows access to a tight subset of websites.
Apache is the logical choice for such an endeavor, but configuration is not
terribly straightforward. After numerous attempts, I settled on something like the below. I found that a ProxyAllow
directive would have fit the bill perfectly, but is curiously lacking.
Configuration
This Apache 2.0 configuration will test the HTTP_HOST variable against a very short list of allowed domains,
after fully-qualifying any non-FQDNs to the local domain. If it does not match any of the domains, the rewrite
rule's [F] flag returns a 403. Other options would be using an external rewrite map for more flexibility on the
list of allowed domains.
<VirtualHost *:80>
ServerName restproxy.example.com
ServerAlias restproxy
DocumentRoot /var/www/html/restproxy
ErrorDocument 403 "This web site is forbidden. Please contact Big Brother if you have any questions."
ProxyRequests On
ProxyVia On
<Proxy *>
Order Deny,Allow
Allow from 192.168
Deny from all
</Proxy>
RewriteEngine On
RewriteLog /var/log/httpd/restproxy_rewrite_log
RewriteLogLevel 1
# If no dot in hostname, fully-qualify with .example.com
RewriteMap lowercase int:tolower
RewriteCond ${lowercase:%{HTTP_HOST}} ^([^:]*).*$
RewriteCond %1 !\. [NC]
RewriteRule ^.*/(.*) http://%1.example.com:%{SERVER_PORT}/$1 [L,R]
# Damn it would be nice to have a ProxyAllow directive
RewriteMap lowercase int:tolower
RewriteCond ${lowercase:%{HTTP_HOST}} ^([^:]*).*$
RewriteCond %1 !.*example.com$
RewriteCond %1 !.*google.com$
RewriteCond %1 !.*cnn.com$
RewriteRule ^proxy: - [F]
</VirtualHost>
| 
