httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Apache 1.3.27 mod_proxy 'docs' issue
Date Wed, 23 Jul 2003 17:14:34 GMT
The response I received from Jason in r.e. this bugtraq post made one
especially good documentation point;

>The final statements in the ProxyRequests directive documentation are;
>
>http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests
>
>  "This allows or prevents Apache from functioning as a proxy server. 
>   Setting ProxyRequests to 'off' does not disable use of the <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass

>   directive."

He suggests the converse comment in the ProxyPass directive, that the
ProxyRequests does not affect the ProxyPass directive, and should not
be enabled for reverse proxy configurations.

Bill

At 05:30 PM 7/22/2003, William A. Rowe, Jr. wrote:
>The Security Team responded 13 minutes after Jason's initial report,
>attempting to explain how he had misconfigured his server.  While we
>acknowledge that new directives might be desirable in limited cases, 
>the team determined that this is clearly a user configuration error.
>
>The Apache HTTP Server Documentation Project has been working
>to improve and further clarify the risks of open proxies, including open
>faux-HTTP proxies into SMTP servers.  They actively solicit contributions
>to the documentation (preferably with a patch) for any ambiguous or 
>insufficiently covered topics;
>
>  http://httpd.apache.org/docs-project/
>
>More details follow;
>
>At 11:52 AM 7/22/2003, Jason Robertson wrote:
>>I have found that recently a spammer has been using a mod_proxy 
>>configuration, (that was meant to allow for an easier transition to a 
>>new naming scheme, as well as changes to a backend software) as a spam 
>>relay.  
>>The spammer has been using HTTP POST requests to send these messages
>>with POST HTTP://mailserver:25/ HTTP/1.1  
>>With some research it looks like this is an automated process including 
>>the initial scan stage.
>>
>>When I contacted Apache in regards to this, the response was not very 
>>promising. 
>>
>>This problem would be a simple fix with implementing the AllowConnect 
>>configuration option within proxy_http, to prevent outbound 
>>connections.  
>
>As described in the default configuration, open proxies are never
>recommended [from Apache 1.3.27 conf/httpd.conf-dist];
>
>#
># Proxy Server directives. Uncomment the following lines to
># enable the proxy server:
>#
>#<IfModule mod_proxy.c>
>#    ProxyRequests On
>
>#    <Directory proxy:*>
>#        Order deny,allow
>#        Deny from all
>#        Allow from .your-domain.com
>#    </Directory>
>
>    #
>    # Enable/disable the handling of HTTP/1.1 "Via:" headers.
>    # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
>    # Set to one of: Off | On | Full | Block
>    #
>#    ProxyVia On
>
>    #
>    # To enable the cache as well, edit and uncomment the following lines:
>    # (no cacheing without CacheRoot)
>    #
>#    CacheRoot "@@ServerRoot@@/proxy"
>#    CacheSize 5
>#    CacheGcInterval 4
>#    CacheMaxExpire 24
>#    CacheLastModifiedFactor 0.1
>#    CacheDefaultExpire 1
>#    NoCache a-domain.com another-domain.edu joes.garage-sale.com
>
>#</IfModule>
># End of proxy directives.
>
>If (for the purposes of collecting several machine's collective content)
>you are attempting to ProxyPass a number of URI's to different boxes,
>you should NOT be enabling ProxyRequests.
>
>The final statements in the ProxyRequests directive documentation are;
>
>http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests
>
>  "This allows or prevents Apache from functioning as a proxy server. 
>   Setting ProxyRequests to 'off' does not disable use of the <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass

>   directive."
>
>  "Warning: Do not enable proxying until you have <http://httpd.apache.org/docs/mod/mod_proxy.html#access>secured
your server. 
>   Open proxy servers are dangerous both to your network and to the 
>   Internet at large."
>
>Access control is briefly illustrated further with additional references in;
>
>http://httpd.apache.org/docs/mod/mod_proxy.html#access
>
>Bill



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message