PageViews: 93,986 hits / 585 nets
home updates download manual documents search

Reference Manual of DeleGate

DeleGate reference manual version 9.9 / RELAY_ssi
Note that including a resource by SSI is under the access control of DeleGate (as origin or proxy server) common to the access control against client users. That is, if a client user is forbidden to access the included resource, it is also forbidden even via SSI-include.
Especially allowing including a resource out of the DeleGate server, with URL like virtual=http://exserver/dir/fileX can make a security hole made by a user as a SHTML writer. In an origin server, relaying as a proxy must be forbidden by RELAY=no, but it also forbids SSI-include to do from other servers.
A simple workaround in version 9 is adding a limited RELAY as RELAY="proxy:http:exserver:*" that only allows relaying to exserver. Another safer workaround is using MOUNT like MOUNT="/ex/* http://exserver/dir/*" then write SSI-include like virtual="/ex/fileX". But both of these allows client users to access to resources other than the intended virtual URL in the exserver.