httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nico Foltinek <Folti...@camosun.bc.ca>
Subject Re: Apache 1.3.27 mod_proxy 'docs' issue
Date Wed, 23 Jul 2003 23:16:26 GMT
Hi,
I'm hoping that I've gotten onto the right list. 

I'd like to make a suggestion for documenting the mod_proxy vulnerability to
being a spam relay. I agree that it's a user config issue (mea culpa), but
there wasn't much in the docs that gave me the impression that mod_proxy was
so powerful. Also, I'm using 1.3 as a reverse proxy, and the docs focus on
securing a forward proxy. The 2.0 docs mention using mod_proxy as a reverse
proxy, but still only allude to the <Directory> directive for securing it.

I saw a few messages via MARC discussing the issue today, so here I am,
jumping in.

When I discovered that my mod_proxy was being exploited, I googled a bit and
came up with putting the following into httpd.conf:

<LocationMatch "^[^/]">
	Deny from all
</LocationMatch>

Sure enough, my logs go from 

[Sun Jun 22 08:38:33 2003] [error] (13)Permission denied: proxy:
utimes(/var/cache/httpd/.time)

to

[Sun Jul 20 05:11:36 2003] [error] [client 203.98.164.132] client denied by
server configuration: proxy:http://111.22.123.4:25/

I also added that LocationMatch directive in my SSL section. So, unless I've
missed something important, I recommend that including those lines in the
default httpd.conf will keep the proxy from being exploited. I don't know if
there's a run-time hit on performance, or any other issues that might make
this a bad idea.


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message