Making HTTP requests from Apache

[gentusmaximus]

Hi,

 

My organisations website is run on a standard LAMP setup. I'm currently developing some scripts to get RSS feeds and have discovered that the server is blocked from making external HTTP requests (ie it can't get feeds and return them). I need to convince server admin that it's safe to allow HTTP request from our server to external sites and need a bit more info as this is beyond my knowledge.

 

Does anyone know any resources explaining the issues with allowing your server to read data from external sites? I'm not concerned about the integrity of the data on the external sites, more that if we were hacked someone else would be able to make these requests from our server and how we can minimise the damage this might cause.

 

As I said, I'm a n00b in this area and any help is much appreciated, Cheers!

[steviewdr]

Yes - it is a very common practice to block outgoing requests to webservers. This is because, if a php application (or something similar) gets hacked, a person can write a simple script to download a suite of rootkits etc. If outgoing requests are blocked, then wget on the server will not work.

 

Your best bet, would be to single out the 1 or 2 websites you need outgoing access to, and then ask your server administrator for outgoing access to these 1 or 2 websites over port 80.

As a web server admin myself, I would never allow all outgoing connections over port 80, however I would have acceptions for akismet etc.

 

Another avenue you can look into is getting your RSS feeds to use a proxy. This is the most common method (however some apps such as akismet for spam doesnt) is to use a Proxy to allow outgoing connections. Im sure your organisation has a proxy there which you can use. You need to check if your RSS app can use a proxy and if so - excellent, you will not need the admin to go opening up the firewall.

 

-steve

[gentusmaximus]

Thanks for that steve muchly muchly appreciated,

 

Can you allow outgoing access via domain name? One of the webservices I want to use is the Googlemaps API which will be hard to pin down by IP (according to our server admins).

 

The proxy method sounds interesting, how does this avoid the problem if the server gets hacked?

[steviewdr]

You can allow outgoing access via domain name, however as far as Im aware (with iptables firewalls), the firewall does a ip lookup of www.domainname.com, gets the ip (which ever ip it gets first) and puts it into the rules. Whenever the firewall rules are reloaded etc, it will do another ip lookup, getting teh first ip and using it.

 

If the server gets hacked, they would have to know your proxy details, i.e. proxy address and port. Also - typical hacker tools etc might not have proxy support and it makes it a little more difficult.

 

Also - take irc instead of web for a minute. A hacker finds a hole in a php app and downloads a IRC server script onto the server. Even if they do manage to wget (via proxy) their irc server script, the firewall will block the outgoing irc on 6666 etc. So blocking outgoing traffic on a server does make sense.

 

-steve