This week I learned the hard way that you have to watch out with apache mod_proxy, especially when you are using the option ProxyRequests On and ProxyPass, my Apache server was being abused as a proxy!
Last week I noticed that my Apache access.log was growing rapidly, 400MB each day?! Looking at the log file it had only entries with requests for unknow URLs and my server replied with a HTTP 200 response, NOT GOOD! My Apache server was being abused as a proxy for other sites, argh! I did some research and found that my server was totally open for abuse. Mainly due to my lacking knowledge of Apache`s mod_proxy.
How to test if your server can be abused?
To test if your Apache server is abusable, open the command prompt and run telnet:
telnet yoursite.example.com 80
Paste the following to the telnet console and press enter twice, retrieving content from yahoo? Read on!
GET http://www.yahoo.com/ HTTP/1.1 Host: www.yahoo.com
Securing your Apache server
Start with limiting global mod_proxy access. Add the following fragment to your
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so # Disable proxy requests, using ProxyPass in vhost ProxyRequests Off # Block all requests <Proxy *> Order deny,allow Deny from all </Proxy>
This denies proxy access for all incoming requests. Your server is not accepting proxy requests anymore. Now we can explicitly open proxy requests for virtual_hosts that need to do proxying. For example, I run another internal server that needs to be exposed to the outside world via my Apache server.
In my httpd-vhosts.conf I created a default vhost that blocks all requests that do not target a vhost that I have defined.
NameVirtualHost *:80 <VirtualHost *:80> ServerName default.only <Location /> Order allow,deny Deny from all </Location> </VirtualHost>
Now open up proxing of requests for vhosts that require this:
<VirtualHost *:80> ServerName my.server.com <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://internal.server:8085/ ProxyPassReverse / http://internal.server:8085/ </VirtualHost>
For the virtualhost
my.server.com the request are being proxied to the internal server. All other requests are now being blocked.
Make sure you really know what you are doing when using mod_proxy. Make sure to avoid ProxyRequest On because you almost never need this in your toplevel configuration. Also read the links below and secure your server properly!
mod_proxy documentation: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html