You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2003/07/23 19:14:34 UTC
Re: Apache 1.3.27 mod_proxy 'docs' issue
The response I received from Jason in r.e. this bugtraq post made one
especially good documentation point;
>The final statements in the ProxyRequests directive documentation are;
>
>http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests
>
> "This allows or prevents Apache from functioning as a proxy server.
> Setting ProxyRequests to 'off' does not disable use of the <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass
> directive."
He suggests the converse comment in the ProxyPass directive, that the
ProxyRequests does not affect the ProxyPass directive, and should not
be enabled for reverse proxy configurations.
Bill
At 05:30 PM 7/22/2003, William A. Rowe, Jr. wrote:
>The Security Team responded 13 minutes after Jason's initial report,
>attempting to explain how he had misconfigured his server. While we
>acknowledge that new directives might be desirable in limited cases,
>the team determined that this is clearly a user configuration error.
>
>The Apache HTTP Server Documentation Project has been working
>to improve and further clarify the risks of open proxies, including open
>faux-HTTP proxies into SMTP servers. They actively solicit contributions
>to the documentation (preferably with a patch) for any ambiguous or
>insufficiently covered topics;
>
> http://httpd.apache.org/docs-project/
>
>More details follow;
>
>At 11:52 AM 7/22/2003, Jason Robertson wrote:
>>I have found that recently a spammer has been using a mod_proxy
>>configuration, (that was meant to allow for an easier transition to a
>>new naming scheme, as well as changes to a backend software) as a spam
>>relay.
>>The spammer has been using HTTP POST requests to send these messages
>>with POST HTTP://mailserver:25/ HTTP/1.1
>>With some research it looks like this is an automated process including
>>the initial scan stage.
>>
>>When I contacted Apache in regards to this, the response was not very
>>promising.
>>
>>This problem would be a simple fix with implementing the AllowConnect
>>configuration option within proxy_http, to prevent outbound
>>connections.
>
>As described in the default configuration, open proxies are never
>recommended [from Apache 1.3.27 conf/httpd.conf-dist];
>
>#
># Proxy Server directives. Uncomment the following lines to
># enable the proxy server:
>#
>#<IfModule mod_proxy.c>
># ProxyRequests On
>
># <Directory proxy:*>
># Order deny,allow
># Deny from all
># Allow from .your-domain.com
># </Directory>
>
> #
> # Enable/disable the handling of HTTP/1.1 "Via:" headers.
> # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
> # Set to one of: Off | On | Full | Block
> #
># ProxyVia On
>
> #
> # To enable the cache as well, edit and uncomment the following lines:
> # (no cacheing without CacheRoot)
> #
># CacheRoot "@@ServerRoot@@/proxy"
># CacheSize 5
># CacheGcInterval 4
># CacheMaxExpire 24
># CacheLastModifiedFactor 0.1
># CacheDefaultExpire 1
># NoCache a-domain.com another-domain.edu joes.garage-sale.com
>
>#</IfModule>
># End of proxy directives.
>
>If (for the purposes of collecting several machine's collective content)
>you are attempting to ProxyPass a number of URI's to different boxes,
>you should NOT be enabling ProxyRequests.
>
>The final statements in the ProxyRequests directive documentation are;
>
>http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests
>
> "This allows or prevents Apache from functioning as a proxy server.
> Setting ProxyRequests to 'off' does not disable use of the <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass
> directive."
>
> "Warning: Do not enable proxying until you have <http://httpd.apache.org/docs/mod/mod_proxy.html#access>secured your server.
> Open proxy servers are dangerous both to your network and to the
> Internet at large."
>
>Access control is briefly illustrated further with additional references in;
>
>http://httpd.apache.org/docs/mod/mod_proxy.html#access
>
>Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 23 Jul 2003, William A. Rowe, Jr. wrote:
> At 04:20 PM 7/23/2003, Joshua Slive wrote:
> >Another thought on this issue:
> >
> >Should we include
> >ProxyBlock :25
> >in our recommended configuration?
> >
> >I haven't tested this, but it seems like it should be effective at
> >stopping the http->smtp gateway. And really, this type of gateway is a
> >bad idea, even on properly secured proxies.
>
> If you look at how restrictive the default AllowConnect directive is, then
> it isn't unreasonable to consider the reporter's orginal suggestion for some
> AllowProxy directive as well. Your suggestion would eliminate port 25,
> if it behaves as we expect, but that doesn't solve the problem for other ports.
I thought about this, and the idea of an Allow(Forward)Proxy directive
isn't bad, but I don't think I would want it in the default config. We
would be encouraging a policy where a proxy administrator would say "http
is only allowed on ports 80 and 8080". And I think most of us agree that
is silly and doesn't do much to help security.
Joshua.
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 23 Jul 2003, William A. Rowe, Jr. wrote:
> At 04:20 PM 7/23/2003, Joshua Slive wrote:
> >Another thought on this issue:
> >
> >Should we include
> >ProxyBlock :25
> >in our recommended configuration?
> >
> >I haven't tested this, but it seems like it should be effective at
> >stopping the http->smtp gateway. And really, this type of gateway is a
> >bad idea, even on properly secured proxies.
>
> If you look at how restrictive the default AllowConnect directive is, then
> it isn't unreasonable to consider the reporter's orginal suggestion for some
> AllowProxy directive as well. Your suggestion would eliminate port 25,
> if it behaves as we expect, but that doesn't solve the problem for other ports.
I thought about this, and the idea of an Allow(Forward)Proxy directive
isn't bad, but I don't think I would want it in the default config. We
would be encouraging a policy where a proxy administrator would say "http
is only allowed on ports 80 and 8080". And I think most of us agree that
is silly and doesn't do much to help security.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 04:20 PM 7/23/2003, Joshua Slive wrote:
>Another thought on this issue:
>
>Should we include
>ProxyBlock :25
>in our recommended configuration?
>
>I haven't tested this, but it seems like it should be effective at
>stopping the http->smtp gateway. And really, this type of gateway is a
>bad idea, even on properly secured proxies.
If you look at how restrictive the default AllowConnect directive is, then
it isn't unreasonable to consider the reporter's orginal suggestion for some
AllowProxy directive as well. Your suggestion would eliminate port 25,
if it behaves as we expect, but that doesn't solve the problem for other ports.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 04:20 PM 7/23/2003, Joshua Slive wrote:
>Another thought on this issue:
>
>Should we include
>ProxyBlock :25
>in our recommended configuration?
>
>I haven't tested this, but it seems like it should be effective at
>stopping the http->smtp gateway. And really, this type of gateway is a
>bad idea, even on properly secured proxies.
If you look at how restrictive the default AllowConnect directive is, then
it isn't unreasonable to consider the reporter's orginal suggestion for some
AllowProxy directive as well. Your suggestion would eliminate port 25,
if it behaves as we expect, but that doesn't solve the problem for other ports.
Bill
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by Joshua Slive <jo...@slive.ca>.
Attached are a few updates for the 2.0 mod_proxy docs that attempt to
clear up the forward/reverse issue, provide some safe examples (to replace
the ones removed from the default config) and do a little clean-up.
An html version is here:
http://cvs.apache.org/~slive/manual/mod/mod_proxy.html
Review by proxy wizards (or others) would be appreciated.
I suppose I can backport this to 1.3. (I hate having to commit the same
changes to three different places.)
Joshua.
Index: mod_proxy.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_proxy.xml,v
retrieving revision 1.20
diff -u -d -b -u -r1.20 mod_proxy.xml
--- mod_proxy.xml 2 Jul 2003 09:12:36 -0000 1.20
+++ mod_proxy.xml 23 Jul 2003 20:54:53 -0000
@@ -52,66 +52,98 @@
<seealso><module>mod_proxy_connect</module></seealso>
<seealso><module>mod_ssl</module></seealso>
-<section id="configs"><title>Common configuration topics</title>
- <ul>
- <li><a href="#forwardreverse">Forward and Reverse Proxies</a></li>
- <li><a href="#access">Controlling access to your proxy</a></li>
- <li><a href="#mimetypes">Why doesn't file type <var>xxx</var> download via
- FTP?</a></li>
- <li><a href="#type">How can I force an FTP ASCII download of File
- <var>xxx</var>?</a></li>
- <li><a href="#percent2fhack">How can I access FTP files outside of my home
- directory?</a></li>
- <li><a href="#ftppass">How can I hide the FTP cleartext password in my
- browser's URL line?</a></li>
- <li><a href="#startup">Why does Apache start more slowly when using the
- proxy module?</a></li>
- <li><a href="#intranet">What other functions are useful for an intranet
- proxy server?</a></li>
- <li><a href="#envsettings">How can I make the proxy talk HTTP/1.0 and
- disable keepalives?</a></li>
- </ul>
-
<section id="forwardreverse"><title>Forward and Reverse Proxies</title>
<p>Apache can be configured in both a <dfn>forward</dfn> and
<dfn>reverse</dfn> proxy configuration.</p>
- <p>A <dfn>forward proxy</dfn> is an intermediate system that enables a
- browser to connect to a remote network to which it normally does not have
- access. A forward proxy can also be used to cache data, reducing load on
- the networks between the forward proxy and the remote webserver.</p>
+ <p>An ordinary <dfn>forward proxy</dfn> is an intermediate
+ server that sits between the client and the <em>origin
+ server</em>. In order to get content from the origin server,
+ the client sends a request to the proxy naming the origin server
+ as the target and the proxy then requests the content from the
+ origin server and returns it to the client. The client must be
+ specially configured to use the forward proxy to access other
+ sites.</p>
- <p>Apache's <module>mod_proxy</module> can be figured to behave like a
- forward proxy using the <directive module="mod_proxy"
- >ProxyRemote</directive> directive. In addition, caching of data can be
- achieved by configuring <module>mod_cache</module>. Other dedicated
- forward proxy packages include <a href="http://www.squid-cache.org/"
- >Squid</a>.</p>
+ <p>A typical usage of a forward proxy is to provide Internet
+ access to internal clients that are otherwise restricted by a
+ firewall. The forward proxy can also use caching (as provided
+ by <module>mod_cache</module>)to reduce network usage.</p>
- <p>A <dfn>reverse proxy</dfn> is a webserver system that is capable of
- serving webpages sourced from other webservers - in addition to webpages
- on disk or generated dynamically by CGI - making these pages look like
- they originated at the reverse proxy.</p>
+ <p>The forward proxy is activated using the <directive
+ module="mod_proxy">ProxyRequests</directive> directive. Because
+ forward proxys allow clients to access arbitrary sites through
+ your server and to hide their true origin, it is essential that
+ you <a href="#access">secure your server</a> so that only
+ authorized clients can access the proxy before activating a
+ forward proxy.</p>
- <p>When configured with the mod_cache module the reverse proxy can act as
- a cache for slower backend webservers. The reverse proxy can also enable
- advanced URL strategies and management techniques, allowing webpages
- served using different webserver systems or architectures to coexist
- inside the same URL space. Reverse proxy systems are also ideal for
- implementing centralised logging websites with many or diverse website
- backends. Complex multi-tier webserver systems can be constructed using an
- <module>mod_proxy</module> frontend and any number of backend
- webservers.</p>
+ <p>A <dfn>reverse proxy</dfn>, by contrast, appears to the
+ client just like an ordinary web server. No special
+ configuration on the client is necessary. The client makes
+ ordinary requests for content in the name-space of the reverse
+ proxy. The reverse proxy then decides where to send those
+ requests, and returns the content as if it was itself the
+ origin.</p>
- <p>The reverse proxy is configured using the <directive
- module="mod_proxy">ProxyPass</directive> and <directive
- module="mod_proxy">ProxyPassReverse</directive> directives. Caching can be
- enabled using mod_cache as with the forward proxy.</p>
+ <p>A typical usage of a reverse proxy is to provide Internet
+ users access to an server that is behind a firewall. Reverse
+ proxies can also be used to balance load among several back-end
+ servers, or to provide caching for a slower back-end server.
+ In addition, reverse proxies can be used simply to bring
+ several servers into the same URL space.</p>
+
+ <p>A reverse proxy is activated using the <directive
+ module="mod_proxy">ProxyPass</directive> directive or the
+ <code>[P]</code> flag to the <directive
+ module="mod_rewrite">RewriteRule</directive> directive. It is
+ <strong>not</strong> necessary to turn <directive
+ module="mod_proxy">ProxyRequests</directive> on in order to
+ configure a reverse proxy.</p>
</section> <!-- /forwardreverse -->
+ <section id="examples"><title>Basic Examples</title>
+
+ <p>The examples below are only a very basic idea to help you
+ get started. Please read the documentation on the individual
+ directives.</p>
+
+ <p>In addition, if you wish to have caching enabled, consult
+ the documentation from <module>mod_cache</module>.</p>
+
+ <example><title>Forward Proxy</title>
+ ProxyRequests On<br />
+ <br />
+ <Proxy *><br />
+ <indent>
+ Order deny,allow<br />
+ Deny from all<br />
+ Allow from internal.example.com<br />
+ </indent>
+ </Proxy&gr;<br />
+ <br />
+ ProxyVia On
+ </example>
+
+ <example><title>Reverse Proxy</title>
+ ProxyRequests Off<br />
+ <br />
+ <Proxy *><br />
+ <indent>
+ Order deny,allow<br />
+ Allow from all<br />
+ </indent>
+ </Proxy><br />
+ <br />
+ ProxyPass /foo/ http://foo.example.com/bar/<br />
+ ProxyPassReverse /foo http://foo.example.com/bar/
+ </example>
+ </section> <!-- /examples -->
+
+
<section id="access"><title>Controlling access to your proxy</title>
<p>You can control who can access your proxy via the <directive
- module="mod_proxy" type="section">Proxy</directive> control block using
+ module="mod_proxy" type="section">Proxy</directive> control block as in
the following example:</p>
<example>
@@ -124,11 +156,14 @@
</Proxy>
</example>
- <p>When configuring a reverse proxy, access control takes on the
- attributes of the normal server <directive module="core" type="section"
- >Directory</directive> configuration.</p>
+ <p>For more information on access control directives, see
+ <module>mod_access</module>.</p>
+
</section> <!-- /access -->
+ <section id="ftp-proxy"><title>FTP Proxy</title>
+
+
<section id="mimetypes"><title>Why doesn't file type <var>xxx</var>
download via FTP?</title>
<p>You probably don't have that particular file type defined as
@@ -215,9 +250,8 @@
might intercept your password on its way.</p>
</note>
</section> <!-- /ftppass -->
-
- <section id="startup"><title>Why does Apache start more slowly when using
- the proxy module?</title>
+ </section> <!-- /ftpproxy -->
+ <section id="startup"><title>Slow Startup</title>
<p>If you're using the <directive module="mod_proxy"
>ProxyBlock</directive> directive, hostnames' IP addresses are looked up
and cached during startup for later match test. This may take a few
@@ -225,8 +259,7 @@
occur.</p>
</section> <!-- /startup -->
- <section id="intranet"><title>What other functions are useful for an
- intranet proxy server?</title>
+ <section id="intranet"><title>Intranet Proxy</title>
<p>An Apache proxy server situated in an intranet needs to forward
external requests through the company's firewall. However, when it has to
access resources within the intranet, it can bypass the firewall when
@@ -246,8 +279,7 @@
files will then contain fully qualified hosts.</p>
</section> <!-- /intranet -->
- <section id="envsettings"><title>How can I make the proxy talk HTTP/1.0 and
- disable keepalives?</title>
+ <section id="envsettings"><title>Disable keepalives</title>
<p>For circumstances where you have a application server which doesn't
implement keepalives or HTTP/1.1 properly, there are 2 environment
variables which when set send a HTTP/1.0 with no keepalive. These are set
@@ -266,7 +298,6 @@
</Location>
</example>
</section> <!-- /envsettings -->
-</section>
<directivesynopsis type="section">
<name>Proxy</name>
@@ -509,6 +540,10 @@
>Location</directive> section, the first argument is ommitted and the local
directory is obtained from the <directive type="section" module="core"
>Location</directive>.</p>
+
+ <note type="warning">The <directive
+ module="mod_proxy">ProxyRequests</directive> should usually be set
+ <strong>off</strong> when using <directive>ProxyPass</directive>.</note>
<p>If you require a more flexible reverse-proxy configuration, see the
<directive module="mod_rewrite">RewriteRule</directive> directive with the
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by Mads Toftum <ma...@toftum.dk>.
On Wed, Jul 23, 2003 at 05:25:45PM -0400, Cliff Woolley wrote:
> Assuming it works, then I like it in as much as any anti-spam measure is
> good in my opinion, but at the same time it doesn't stop people from
> having open HTTP proxies by the same misconfiguration, which are harmful
> to the Net at large (if in a different way).
>
I agree. From looking at my own access log on an empty site, there's even
more attempts to proxy to all sorts of ports than iis worms. One very common
and regularly attempted from ever changing ip's is:
"CONNECT 1.3.3.7:1337 HTTP/1.0"
The question is wether we can actually make the docs clear enough (seeing
that people already ignore the big warning boxes) or maybe something
stronger along the lines of -DBIG_SECURITY_HOLE is needed? or something
less drastic like renaming ProxyRequests to ForwardProxy?
I don't have any exact figures for this, but it does appear to me (looking
at local rbl stats) that open proxies are becoming much more popular
among spammers than the old open relays.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by Cliff Woolley <jw...@virginia.edu>.
On Wed, 23 Jul 2003, Joshua Slive wrote:
> ProxyBlock :25
Assuming it works, then I like it in as much as any anti-spam measure is
good in my opinion, but at the same time it doesn't stop people from
having open HTTP proxies by the same misconfiguration, which are harmful
to the Net at large (if in a different way).
--Cliff
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Apache 1.3.27 mod_proxy 'docs' issue
Posted by Joshua Slive <jo...@slive.ca>.
Another thought on this issue:
Should we include
ProxyBlock :25
in our recommended configuration?
I haven't tested this, but it seems like it should be effective at
stopping the http->smtp gateway. And really, this type of gateway is a
bad idea, even on properly secured proxies.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org