Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 36414 invoked from network); 29 Jul 2010 13:04:59 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 Jul 2010 13:04:59 -0000 Received: (qmail 90668 invoked by uid 500); 29 Jul 2010 13:04:56 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 90314 invoked by uid 500); 29 Jul 2010 13:04:52 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 90305 invoked by uid 99); 29 Jul 2010 13:04:51 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jul 2010 13:04:51 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_FROM,HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of fdelvall@gmail.com designates 74.125.82.173 as permitted sender) Received: from [74.125.82.173] (HELO mail-wy0-f173.google.com) (74.125.82.173) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Jul 2010 13:04:44 +0000 Received: by wyi11 with SMTP id 11so307312wyi.18 for ; Thu, 29 Jul 2010 06:04:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=srYn7f0ZQ/cD0hT5w44PctCv/ICci1JSkGwTjWPjxvs=; b=bXy6+NHNFl4m7tJRToEkcuBkNMBRcbqntST9YYr5uOpPkqiYXeeWFmldODbf/UCVtG HaWSLfWSZFJxSI5LVtciYZOmT56g2wu81SiCa6NPzDItaSIgjhiWefu/Ag1ryqWXYb9Y Bh0Sr6gO0e26NIG2I6b4ViPy3YC8d4XGroHBY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=rdGKJ44llBQDwV9Ynxb1EjYYAZS8bDaYoPn1x0s92nIyx3t073alZEcc+yCLBYm9ph uh0pfZ3OrBFBRLo7xiyGxPaNiJetggKJ/HiD9YXgr3KRbJyoppju/LXoVhnLv6309sN+ 3Tuv5KmCaodUJHIH8ZS7adOyC7Ym8vUOfl6XY= MIME-Version: 1.0 Received: by 10.216.188.197 with SMTP id a47mr53391wen.70.1280408662900; Thu, 29 Jul 2010 06:04:22 -0700 (PDT) Received: by 10.216.164.194 with HTTP; Thu, 29 Jul 2010 06:04:22 -0700 (PDT) Date: Thu, 29 Jul 2010 10:04:22 -0300 Message-ID: From: Federico del Vall To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=0016e65684be84fec2048c865fc5 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] ProxyRequests Off - not working and httpd being abused as forward proxy --0016e65684be84fec2048c865fc5 Content-Type: text/plain; charset=ISO-8859-1 Hi. I am working on a reverse proxy, which is based on a prior project holding the same configuration running over apache 2.0.40, RedHat 9. This old project has been working smoothly for years since, no security concerns whatsoever. The new project is based on Centos 5.5, apache 2.2.3. To my surprise, hackers, or should I say opportunistic users, are using the facility much as an open proxy. I am aware of the need of "ProxyRequests Off" sentence as a condition for closing the forward proxy service while keeping the reverse mode functional. We are currently blocking by iptables httpd responses to the irregular traffic, but that in turn leaves our server without local access to Internet as for updates. The configuration in use is shown. True domain and IP are masked for our privacy. Partial log follows. Any advice shall be truly appreciated. Friedrick 80.254.162.185 - - [28/May/2010:00:49:27 -0300] "GET http://ya.ru/ HTTP/1.1" 200 8932 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 78.153.208.248 - - [28/May/2010:01:45:10 -0300] "GET http://www.yahoo.com/HTTP/1.1" 200 8932 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" ServerName z.zonline.org ServerName z.zonline.org ProxyRequests Off ProxyPass / http://192.168.200.2:8080/ ProxyPassReverse / http://192.168.200.2:8080/ RewriteEngine On RewriteCond %{SERVER_PORT} ^80$ RewriteRule ^/login(.*)$ https://z.zonline.org.ar/login$1 [L,R] RewriteRule ^/tarjeta(.*)$ https://z.zonline.org.ar/card$1 [L,R] RewriteLog "/var/log/httpd/rewrite_z_log" CustomLog logs/http-z access combined ErrorLog logs/http-z.errors --0016e65684be84fec2048c865fc5 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi.
I am working on a reverse proxy, whic= h is based on a prior project holding the same configuration running over <= /span>apache 2.0.40,=A0RedHat = 9.
This old project has been working smoothly for years since, no s= ecurity concerns=A0whatsoever.
The new project is ba= sed on Centos 5.5, apache 2.2.3. To my surprise, hackers, or should I say o= pportunistic users, are using the facility much as an open proxy.
I am aware of the need of "ProxyRequests Off" sentence= as a condition for closing the forward proxy service while keeping the rev= erse mode functional.
We are currently blocking by iptables httpd responses to the irr= egular traffic, but that in turn leaves our server without local access to = Internet as for updates.
The configuration in use is shown.
True = domain and IP are masked for our privacy.
Partial log follows.
Any advice shall be truly apprec= iated.

Friedrick

80.254.162.185 - - [28/Ma= y/2010:00:49:27 -0300] "GET http://ya.ru/ HTTP/1.1" 200 8932 "-" "Mozilla/4.0 (compatible; MSIE= 4.01; Windows
=A095)"
78.153.208.248 - - [28/May/2010:01:45:10 -0300]= "GET http://www.yahoo.com/ HTTP= /1.1" 200 8932 "-" "Mozilla/4.0 (compatible; MSIE 4.01;=
=A0Windows 95)"


<= div>ServerName z.zonline.org

<VirtualHost<= span class=3D"Apple-style-span" style=3D"background-color: rgb(255, 255, 25= 5);"> 200.200.200.200:80>
=A0=A0 =A0 =A0 =A0ServerName <= span class=3D"Apple-style-span" style=3D"background-color: rgb(255, 255, 25= 5);">z.zonline.org
=A0=A0 =A0 =A0 =A0ProxyRequests Off<= /span>
=A0=A0 =A0 =A0 =A0ProxyPass / =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 htt= p://192.168.200.2:8080/
=A0=A0 =A0 =A0 =A0ProxyPassReverse / = =A0 =A0 =A0 =A0 =A0 =A0 =A0http://19= 2.168.200.2:8080/
=A0=A0 =A0 =A0 =A0RewriteEngine =A0 = On
=A0=A0 =A0 =A0 =A0RewriteCond =A0 =A0= %{SERVER_PORT} ^80$
=A0=A0 =A0 =A0 =A0RewriteRule =A0 =A0= ^/login(.*)$ https://z= .zonline.org.ar/= login$1 [L,R]
=A0=A0 =A0 =A0 =A0RewriteRule =A0 =A0= ^/tarjeta(.*)$ https://zzonline.org.ar/card= $1 [L,R]
=A0=A0 =A0 =A0 =A0RewriteLog =A0 =A0 = =A0"/var/log/httpd/rewrite_z_log"
=A0=A0 =A0 =A0 =A0CustomLog logs/http= -z=A0access combined
=A0=A0 =A0 =A0 =A0ErrorLog =A0logs/ht= tp-z.errors
</VirtualHost>

--0016e65684be84fec2048c865fc5--