You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by sl...@apache.org on 2002/07/25 22:33:05 UTC
cvs commit: httpd-docs-1.3/htdocs/manual/misc FAQ-E.html
slive 2002/07/25 13:33:04
Modified: htdocs/manual/misc FAQ-E.html
Log:
Add a FAQ entry for the proxy-scan issue.
Both this entry and the FAQ as a whole are out of
control size-wise. Suggestions for improvements
are welcome.
Revision Changes Path
1.22 +81 -1 httpd-docs-1.3/htdocs/manual/misc/FAQ-E.html
Index: FAQ-E.html
===================================================================
RCS file: /home/cvs/httpd-docs-1.3/htdocs/manual/misc/FAQ-E.html,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -d -b -u -r1.21 -r1.22
--- FAQ-E.html 30 Jun 2002 20:11:06 -0000 1.21
+++ FAQ-E.html 25 Jul 2002 20:33:04 -0000 1.22
@@ -147,6 +147,9 @@
<li><a href="#serverheader">How can I change the information
that Apache returns about itself in the headers?</a></li>
+ <li><a href="#proxyscan">Why do I see requests for other sites
+ appearing in my log files?</a></li>
+
</ol>
</li>
<!--#endif -->
@@ -851,6 +854,83 @@
are not keen on helping you do something that is intrinsically a bad
idea.</p>
+ <hr /></li>
+
+ <li><a id="proxyscan" name="proxyscan"><strong>Why do I see requests
+ for other sites appearing in my log files?</strong></a>
+
+ <p>A an access_log entry showing this situation could look
+ like this:</p>
+
+ <blockquote><code> 63.251.56.142 - -
+ [25/Jul/2002:12:48:04 -0700] "GET http://www.yahoo.com/
+ HTTP/1.0" 200 1456 </code></blockquote>
+
+ <p>The question is: why did a request for
+ <code>www.yahoo.com</code> come to your server instead of
+ Yahoo's server? And why does the response have a status
+ code of 200 (success)?</p>
+
+ <p>This is usually the result of malicious clients trying to
+ exploit open proxy servers to access a website without
+ revealing their true location. If you find entries like this
+ in your log, the first thing to do is to make sure you have
+ properly configured your server not to proxy for unknown
+ clients. If you don't need to provide a proxy server at all,
+ you should simply assure that the <a
+ href="../mod/mod_proxy.html#proxyrequests">ProxyRequests</a>
+ directive is <strong>not</strong> set <code>on</code>.
+ If you do need to run a proxy server, then you must ensure
+ that you <a href="../mod/mod_proxy.html#access">secure your
+ server properly</a> so that only authorized clients can use
+ it.</p>
+
+ <p>If your server is configured properly, then the attempt to
+ proxy through your server will fail. If you see a status
+ code of <code>404</code> (file not found) in the log, then
+ you know that the request failed. If you see a status code
+ of <code>200</code> (success), that does not necessarily mean
+ that the attempt to proxy succeeded. RFC2616 section 5.1.2
+ mandates that Apache must accept requests with absolute URLs
+ in the request-URI, even for non-proxy requests. Since
+ Apache has no way to know all the different names that your
+ server may be known under, it cannot simply reject hostnames
+ it does not recognize. Instead, it will serve requests for
+ unknown sites locally by stripping off the hostname and using
+ the default server or virtual host. Therefore you can
+ compare the size of the file (1456 in the above example) to
+ the size of the corresponding file in your default server.
+ If they are the same, then the proxy attempt failed, since a
+ document from your server was delivered, not a document from
+ <code>www.yahoo.com</code>.</p>
+
+ <p>If you wish to prevent this type of request entirely, then
+ you need to let Apache know what hostnames to accept and what
+ hostnames to reject. You do this by configuring name-virtual
+ hosts, where the first listed host is the default host that
+ will catch and reject unknown hostnames. For example:</p>
+
+<blockquote>
+<pre>
+NameVirtualHost *
+
+<VirtualHost *>
+ ServerName default.only
+ <Location />
+ Order allow,deny
+ Deny from all
+ </Location>
+</VirtualHost>
+
+<VirtualHost *>
+ ServerName realhost1.example.com
+ ServerAlias alias1.example.com alias2.example.com
+ DocumentRoot /path/to/site1
+</VirtualHost>
+
+...
+</pre>
+</blockquote>
<hr /></li>
</ol>
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org