Mod_Proxy security problem

[mcirl2]

Hi,

 

I have set up an intranet for a client and I am using Apache Web Server (mod_proxy) for https.

 

However, the problem is that my Hosting Provider (We have a dedicated machine) emailed me and said that the proxy had been used / is being used by spammers.

 

I immediately shut down apache and now I am trying to fix the problem.

 

How do you secure the proxy so it is not an "Open Proxy". I cannot restrict access to one ip / range of ip addresses as the users need access from anywhere (most employees work off site).

 

This is what the our provider told us in the email:

 

We have found that portal.xyz.com (port 80) is working as unsecure open

HTTP_POST proxy.  We would ask that you immediately investigate this issue

and take the necessary steps to close it down.

 

Has anyone come across this / an idea how to secure it.

 

Any advice would be much appreciated.

 

thanks in advance,

 

Mike

 

 

[corbin]

You could limit the sites that it allows access to.

 

 

Don't remember the directive to do that, but it should be in the documentation.

[mcirl2]

Hi,

 

Thanks for the instanteous reply !! Very much appreciated.

 

I will go find it and post back the solution (hopefully) as this has had me puzzled for a while.

 

Thanks a lot,

 

Mike

[mcirl2]

Hi,

 

I think I have sorted it but not 100%.

 

I went the documentation at http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxyrequests and because my I am using a reverse proxy pass I don't need  "ProxyRequests On" so I changed this to "ProxyRequests Off"

 

Is there anywhere I can test to see if my proxy is secure as I would rather know before getting another angry email from my hosting provider.

 

Regards,

 

Mike

 

 

[corbin]

Well, you could send it a couple raw headers.

 

Just use telnet or something similar:

 

 

telnet nameoripofyourproxy.com 80

 

Then, once it connects, type something like:

 

GET http://google.com/ HTTP/1.1

Host: google.com

 

(Note that you will need to hit enter twice after the Host: line.)

 

Then, you could replace GET with POST to check POSTing.

[mcirl2]

Hi,

 

I tested doing the above telnet with the ProxyRequests On and then ProxyRequests Off

 

When ProxyRequests was OFF and I did the post command, I got this:

 

HTTP/1.1 301 Moved Permanently
Date: Fri, 13 Feb 2009 19:03:41 GMT
Server: Apache-Coyote/1.1
Location: /c;jsessionid=A2ABE5ABDFF8A8E5
Content-Type: text/html
Content-Length: 198
Set-Cookie: JSESSIONID=A2ABE5ABDFF8A8E54

<body onload="javascript: location.repla
</html>C1C')">

Connection to host lost.

C:\Documents and Settings\Administrator>

 

I then proceedeed to test with ProxyRequests On and I got this:

 

HTTP/1.1 411 Length Required
Date: Fri, 13 Feb 2009 19:07:09 GMT
Server: GFE/1.3
Content-Type: text/html; charset=UTF-8
Content-Length: 1363
Connection: close



<html><head>
           <meta http-equiv="content-type" content="text/html;charset=utf-8">
                                                                             <t
itle>411 Length Required</title>
                               <style><!--
                                          body {font-family: arial,sans-serif}
                                                                              d
iv.nav {margin-top: 1ex}
                       div.nav A {font-size: 10pt; font-family: arial,sans-seri
f}
 span.nav {font-size: 10pt; font-family: arial,sans-serif; font-weight: bold}
                                                                             di
v.nav A,span.big {font-size: 12pt; color: #0000cc}
                                                 div.nav A {font-size: 10pt; co
lor: black}
          A.l:link {color: #6f6f6f}
                                   A.u:link {color: green}
                                                          //--></style>
                                                                       <script>
<!--
   var rc=411;
              //-->
                   </script>
                            </head>
                                   <body text=#000000 bgcolor=#ffffff>
                                                                      <table bo
rder=0 cellpadding=2 cellspacing=0 width=100%><tr><td rowspan=3 width=1% nowrap>

<b><font face=times color=#0039b6 size=10>G</font><font face=times color=#c41200
size=10>o</font><font face=times color=#f3c518 size=10>o</font><font face=times
color=#0039b6 size=10>g</font><font face=times color=#30a72f size=10>l</font><f
ont face=times color=#c41200 size=10>e</font>  </b>
                                                            <td> </td></tr
>
<tr><td bgcolor="#3366cc"><font face=arial,sans-serif color="#ffffff"><b>Error<
/b></td></tr>
            <tr><td> </td></tr></table>
                                            <blockquote>
                                                        <H1>Length Required</H1
>
POST requests require a <code>Content-length</code> header.

                                                           <p>
                                                              </blockquote>
                                                                           <tab
le width=100% cellpadding=0 cellspacing=0><tr><td bgcolor="#3366cc"><img alt=""
width=1 height=4></td></tr></table>
                                  </body></html>


Connection to host lost.

C:\Documents and Settings\Administrator>

 

 

I dont really know much about telnet so does this show that it is secure when ProxyRequests is OFF?

 

Thanks for all your help.

 

Thanks,

 

Mike

 

[corbin]

Hrmmm, if I'm reading that correctly it should be ;p.