httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] Preventing an open proxy with both a single SSL virtual host and a non-SSL virtual host
Date Tue, 18 Feb 2014 15:11:46 GMT
I use this to block relay proxy attempts:

RewriteCond %{THE_REQUEST} ^[A-Z]+\ /?https?:// [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]+\ /?https?://([^.]+\.)?mydomain\.com
RewriteRule .* - [F]


On Wed, Feb 19, 2014 at 2:00 AM, Richard Mixon <rnmixon@custco.biz> wrote:

> Jonas/Yehuda,
>
> The example I chose was a bad one, just rushing to get the mail out I
> guess. The vast majority of the requests have a return of 200, with a few
> 503.
>
> I hope this reply goes through - I've waited a few days. Earlier replies
> to the list keep getting rejected due to SPAM scores - I kept removing
> content , thinking the HTTP access logs were the culprit - but that did not
> work.
>
> I'm also sending it from an additional address I've subscribed.
>
>
> Richard Mixon
> Custom Computer Creations, LLC
> RNMixon@CustCo.biz
> mobile: 480-577-6834
>
>
>
> On Feb 18, 2014, at 1:19 AM, Jonas Eckerman <jonas_lists@truls.org> wrote:
>
> > Just commenting on you're logged request, not your config...
> >
> > What was it that made you think you had an open proxy?
> > Was it only requests like the one below?
> > Where they all answered with status 403?
> >
> > Richard Mixon <rnmixon@custco.biz> wrote:
> >
> >> After that we started getting flooded with requests such as the
> following:
> >
> >> 64.120.77.151 - - [13/Feb/2014:00:03:05 -0700] "GEThttp://
> ads.yahoo.com/st?ad_type=iframe&ad_size=160x600&section=4660128&pub_url=${PUB_URL}HTTP/1.0"
> 403 283 "
> http://creditsxchange.com/index.php/hotdeal/5536-the-times-of-india"
> "Mozilla/5.0 (Windows NT 7.1) AppleWebKit/534.30 (KHTML, like Gecko)
> Chrome/12.0.742.112 Safari/534.30"
> >
> > You should expect requests like that on any httpserver open to the
> internet on port 80, just as you should expect scripted exploit probes.
> >
> > Since your server answered 403 (forbidden) the request logged above is
> not a problem and does not indicate an open proxy.
> >
> > Regards
> > /jonas
> > --
> > Monypholite gemgas.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message