httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bob" <...@a1poweruser.com>
Subject RE: [users@httpd] Deny CONNECT & GET http requests
Date Sun, 17 Jun 2007 14:07:39 GMT


>>On 6/16/07, Bob <bob@a1poweruser.com> wrote:
>> I get 100k plus of these per month. This is really stressing my server.
>>
> >88.233.57.141 - - "GET http://yasann2.hp.infoseek.co.jp/cgi-bin/jenv.cgi
> >HTTP/1.1" 404 300 "http://yasann2.hp.infoseek.co.jp/cgi-bin/jenv.cgi"

> >125.225.140.225 - "CONNECT 209.191.118.103:25 HTTP/1.0" 200 7034 "-" "-"

> >Running FBSD 6.2 + apache 1.3.37_1 and the mod_proxy is commented out.

>> I want to add declaratives to http-conf to globally deny processing
>> all CONNECT & GET http requests entering the server.

>Start by reading:
>http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan

>You'll see that the GET requests are already being handled perfectly
>correctly. There is nothing more you need do (and indeed, not much
>more you can do even if you wanted to; you could make apache issue a
>403 status code instead of 404, but it wouldn't make any difference).
.>You should, of course, double-check that the 404 is being generated by
>your server and not the remote servers. You could do this, for
>example, by pointing your browser's proxy settings at your web server
>and requesting foreign sites.

>The CONNECT requests are slightly different. I suspect that 7034 (the
>size of the reponses) is actually the size of the response generated
>by your default index page on the site. Further, I suspect that this
>page is generated by php. In a default configuration, apache will
>respond with Method Not Allowed to CONNECT requests, but php allows
>any method at all through to its scripts. I believe there is a php
>config to allow only particular methods through.

>Joshua.
-----Original Message-----
From: jslive@gmail.com [mailto:jslive@gmail.com]On Behalf Of Joshua Slive
Sent: Saturday, June 16, 2007 10:04 PM
To: users@httpd.apache.org; bob@a1poweruser.com
Subject: Re: [users@httpd] Deny CONNECT & GET http requests
Thank you for the info. I read through link you provided on the  "GET http"
request. But I don't feel it answered my question. My interpretation of the
404 response means the "GET http" request was processed and packets where
sent to the URL contained in the request and the remote server replied back
with 404 no file found.  So in a nut shell these "GET http" request types
are consuming resources on my server.
Reading the link you posted above talks about the "GET http" request being
processed by the mod_proxy module. I used the default http-config file to
customize and I have commented out the loadmodule & addmodule statements for
proxy as well as commented out all the other statements in the default
http-config file that have to do with the proxy. To me this means the proxy
module is completely disabled and is not a player in why the  "GET http"
request is being processed.
Further more, the mentioned link says the file size which is 300 in the
above log record should match the file size of my default file I serve up.
The default file I serve up is index.php and the ls -l command shows it's
size to be 7812. Matter of fact I have no files sized smaller than 900.
The CONNECT request has a http status code of 200 which means this request
was serviced by apache and packets were exchanged between my apache server
and the remote targeted server. I do have php5 enabled in my apache. Is this
one of those situations of who has final control of the CONNECT request,
(apache or php)? From what I have read my Maximum Apache Security book,
apache sees the CONNECT request as a valid request type. The book says to
change the http-config file around line 334, the default directory
statements to this to stop the CONNECT request.

SetEnvIf THE_REQUEST CONNECT* drop
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    Deny from env=drop
</Directory>
adding  SetEnvIf THE_REQUEST 'GET http:*' drop      hopefully should drop
those also

The goal here is to Deny CONNECT & GET http requests before they generate
any public internet traffic.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message