Tuesday, December 21, 2010

Apache mod_proxy abuse

This week I learned the hard way that you have to watch out with apache mod_proxy, especially when you are using the option ProxyRequests On and ProxyPass, my Apache server was being abused as a proxy!

What happened?

Last week I noticed that my Apache access.log was growing rapidly, 400MB each day?! Looking at the log file it had only entries with requests for unknow URLs and my server replied with a HTTP 200 response, NOT GOOD! My Apache server was being abused as a proxy for other sites, argh! I did some research and found that my server was totally open for abuse. Mainly due to my lacking knowledge of Apache`s mod_proxy.
How to test if your server can be abused?
To test if your Apache server is abusable, open the command prompt and run telnet:

telnet yoursite.example.com 80

Paste the following to the telnet console and press enter twice, retrieving content from yahoo? Read on!

GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com

Securing your Apache server

Start with limiting global mod_proxy access. Add the following fragment to your httpd.conf:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
# Disable proxy requests, using ProxyPass in vhost
ProxyRequests Off
# Block all requests
<Proxy *>
 Order deny,allow
 Deny from all
</Proxy>

This denies proxy access for all incoming requests. Your server is not accepting proxy requests anymore. Now we can explicitly open proxy requests for virtual_hosts that need to do proxying. For example, I run another internal server that needs to be exposed to the outside world via my Apache server.

Read more: oudmaijer .com