This week I learned the hard way that you have to watch out with apache mod_proxy, especially when you are using the option ProxyRequests On and ProxyPass, my Apache server was being abused as a proxy!
What happened?
Last week I noticed that my Apache access.log was growing rapidly, 400MB each day?! Looking at the log file it had only entries with requests for unknow URLs and my server replied with a HTTP 200 response, NOT GOOD! My Apache server was being abused as a proxy for other sites, argh! I did some research and found that my server was totally open for abuse. Mainly due to my lacking knowledge of Apache`s mod_proxy.
How to test if your server can be abused?
To test if your Apache server is abusable, open the command prompt and run telnet:
telnet yoursite.example.com 80
Paste the following to the telnet console and press enter twice, retrieving content from yahoo? Read on!
GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com
Securing your Apache server
Start with limiting global mod_proxy access. Add the following fragment to your httpd.conf:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
# Disable proxy requests, using ProxyPass in vhost
ProxyRequests Off
# Block all requests
<Proxy *>
Order deny,allow
Deny from all
</Proxy>
This denies proxy access for all incoming requests. Your server is not accepting proxy requests anymore. Now we can explicitly open proxy requests for virtual_hosts that need to do proxying. For example, I run another internal server that needs to be exposed to the outside world via my Apache server.
Read more: oudmaijer .com
What happened?
Last week I noticed that my Apache access.log was growing rapidly, 400MB each day?! Looking at the log file it had only entries with requests for unknow URLs and my server replied with a HTTP 200 response, NOT GOOD! My Apache server was being abused as a proxy for other sites, argh! I did some research and found that my server was totally open for abuse. Mainly due to my lacking knowledge of Apache`s mod_proxy.
How to test if your server can be abused?
To test if your Apache server is abusable, open the command prompt and run telnet:
telnet yoursite.example.com 80
Paste the following to the telnet console and press enter twice, retrieving content from yahoo? Read on!
GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com
Securing your Apache server
Start with limiting global mod_proxy access. Add the following fragment to your httpd.conf:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
# Disable proxy requests, using ProxyPass in vhost
ProxyRequests Off
# Block all requests
<Proxy *>
Order deny,allow
Deny from all
</Proxy>
This denies proxy access for all incoming requests. Your server is not accepting proxy requests anymore. Now we can explicitly open proxy requests for virtual_hosts that need to do proxying. For example, I run another internal server that needs to be exposed to the outside world via my Apache server.
Read more: oudmaijer .com