On Sun, Jan 26, 2003 at 04:49:21AM -0600, Richard Rauch wrote:
> On Sun, Jan 26, 2003 at 01:00:16AM -0500, kpneal@pobox.com wrote:
> > On Sat, Jan 25, 2003 at 05:11:29AM -0600, Richard Rauch wrote:
> > > I was peering through my logs, and I saw something that made me gape
> > > in horror: Someone was connecting to my web-server using a CONNECT
>  [...]
> > > 
> > > I had set up Apache 2 to play with.  It looks like Apache declined
> > > the CONNECT request, but it didn't log to error_log.
>  [...]
> > 
> > <Location />
> > Order allow,deny
> > Deny from all
> >  <Limit GET PUT POST>
> >  Allow from all
> >  <Llimit>
> > </Location>
> 
> You didn't answer my question if I should be concerned.  Are you implying
> that it *did* go through?  Or is the above a "just in case" or "just to
> make things explicit"?

What was in your web server logs? Was it a 403 or was it a 200-something?
If 403, you are fine. If 200-something, the connection went through. 

The snippit of config file I gave just makes everything nice and clear.
You'll need to add in the extra stuff needed for DAV (if you use DAV),
and you'll need to correct the typo, but otherwise it protects you
against these CONNECT issues. 

> I tried to do a hand-crafted CONNECT via a telnet to my web-server, and
> it dropped the connection as soon as I sent the request.  Like the two
> that I saw previously in my log file: It was logged to access_log,
> but did not have an error_log entry.  So I assume that, like my
> hand-crafted request, the two attempted forwarded mail connects
> were dropped.

> Is this correct?

I believe so. Check for a 403. 

On the subject of the error_log, it is true that it is for errors.
Then again, permission denied messages generated in the course of
serving up a 403 also show up in the error_log, so I can see someone
making a case for CONNECT errors showing up in it as well.
-- 
Kevin P. Neal                                http://www.pobox.com/~kpn/

   "I like being on the Daily Show." - Kermit the Frog, Feb 13 2001