Apache mod_proxy abuse

This week I learned the hard way that you have to watch out with apache mod_proxy, especially when you are using the option ProxyRequests On and ProxyPass, my Apache server was being abused as a proxy!

What happened?

Last week I noticed that my Apache access.log was growing rapidly, 400MB each day?! Looking at the log file it had only entries with requests for unknow URLs and my server replied with a HTTP 200 response, NOT GOOD! My Apache server was being abused as a proxy for other sites, argh! I did some research and found that my server was totally open for abuse. Mainly due to my lacking knowledge of Apache`s mod_proxy.

How to test if your server can be abused?

To test if your Apache server is abusable, open the command prompt and run telnet:

telnet yoursite.example.com 80

Paste the following to the telnet console and press enter twice, retrieving content from yahoo? Read on!

GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com

Securing your Apache server

Start with limiting global mod_proxy access. Add the following fragment to your httpd.conf:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

# Disable proxy requests, using ProxyPass in vhost
ProxyRequests Off

# Block all requests
<Proxy *>
  Order deny,allow
  Deny from all
</Proxy>

This denies proxy access for all incoming requests. Your server is not accepting proxy requests anymore. Now we can explicitly open proxy requests for virtual_hosts that need to do proxying. For example, I run another internal server that needs to be exposed to the outside world via my Apache server.

In my httpd-vhosts.conf I created a default vhost that blocks all requests that do not target a vhost that I have defined.

NameVirtualHost *:80

<VirtualHost *:80>
  ServerName default.only
  <Location />
    Order allow,deny
    Deny from all
  </Location>
</VirtualHost>

Now open up proxing of requests for vhosts that require this:

<VirtualHost *:80>

    ServerName my.server.com
		
   <Proxy *>
	Order deny,allow
	Allow from all
   </Proxy>
	
   ProxyPass / http://internal.server:8085/
   ProxyPassReverse / http://internal.server:8085/

</VirtualHost>

For the virtualhost my.server.com the request are being proxied to the internal server. All other requests are now being blocked.

Conclusion

Make sure you really know what you are doing when using mod_proxy. Make sure to avoid ProxyRequest On because you almost never need this in your toplevel configuration. Also read the links below and secure your server properly!

ProxyAbuse: http://wiki.apache.org/httpd/ProxyAbuse
mod_proxy documentation: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Comments are closed.