Re: Spam Using SMTP "Over" HTTP-Proxy

[Chris Knight <Ch...@nasa.gov>]

Joshua Slive wrote:

>I think we've done pretty-much all we can.  I wouldn't mind putting a
>little note on the httpd.apache.org homepage saying "Have you secured your
>proxy?" and point to the correct docs.
>  
>
What about sending a warning message to stderr/error_log upon startup if 
the proxy is not access controlled?

...HTTPS proxying is even worse and could be used to mount a variety of 
TCP attacks.

RE: Spam Using SMTP "Over" HTTP-Proxy

["William A. Rowe, Jr." <wr...@apache.org>]

At 02:41 PM 9/4/2003, Joshua Slive wrote:

>> Seriously, we could add a default deny for outgoing port
>> 25 (smtp) and 6660-6670 (irc) proxied connections.
>> This won't really hurt anyone as I don't see any reasons
>> why anybody would want that. A special "AllowProxyPorts 25 6660-6670"
>> directive could then turn those ports open too.
>> We could even try to limit it to defaultly allowing only
>> the proxying of port 80 and 443 and denying the rest for instance.
>
>Bill Wrowe is a fan of the last idea.  I'm neutral about making it the
>default, but I think it would be good to make it configurable.
>
>You should be specific here, however.  We are talking about a directive
>that would allow *outgoing* proxy connections only on specific ports.  For
>example
>AllowForwardProxy 80 8080 8888

I'm thinking even a patternmatch might not be a bad idea, just crufty as
all can be...

AllowForwardProxy *80

Food for thought.

Bill

RE: Spam Using SMTP "Over" HTTP-Proxy

[Jeroen Massar <je...@unfix.org>]

-----BEGIN PGP SIGNED MESSAGE-----

Joshua Slive [mailto:joshua@slive.ca] wrote:

> On Thu, 4 Sep 2003, Jeroen Massar wrote:
> > Requiring a "IKnowIAmOperatingAOpenProxy" flag that needs to
> > be set explicitly would be a better idea then :)
> 
> That's what the ProxyRequests directive does.  Giving it a silly name
> isn't going to help ;-)

True, nothing much we can do about people not reading the docs :(

> > Seriously, we could add a default deny for outgoing port
> > 25 (smtp) and 6660-6670 (irc) proxied connections.
> > This won't really hurt anyone as I don't see any reasons
> > why anybody would want that. A special "AllowProxyPorts 25 6660-6670"
> > directive could then turn those ports open too.
> > We could even try to limit it to defaultly allowing only
> > the proxying of port 80 and 443 and denying the rest for instance.
> 
> Bill Wrowe is a fan of the last idea.  I'm neutral about making it the
> default, but I think it would be good to make it configurable.
> 
> You should be specific here, however.  We are talking about a 
> directive that would allow *outgoing* proxy connections only on 
> specific ports.  For example
> AllowForwardProxy 80 8080 8888

That could be the default then, if people would require other
ports they would either need to add them or specify "All" if
they are really sure of what they are doing.

We should also convince packagers that they never include the
All option per default or as a simple configuration option.
If someone wants it, let them read the doc, which should contain
the "you are opening up as an open relay" warning.

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/

iQA/AwUBP1hHximqKFIzPnwjEQK6VgCfSJkykyhb+jvWp/ShzWrDcflhFxgAn26c
RKAczDl/QqHK5kk8w8Mcvtqb
=NT/J
-----END PGP SIGNATURE-----

RE: Spam Using SMTP "Over" HTTP-Proxy

[Joshua Slive <jo...@slive.ca>]

On Thu, 4 Sep 2003, Jeroen Massar wrote:
> Requiring a "IKnowIAmOperatingAOpenProxy" flag that needs to
> be set explicitly would be a better idea then :)

That's what the ProxyRequests directive does.  Giving it a silly name
isn't going to help ;-)

> Seriously, we could add a default deny for outgoing port
> 25 (smtp) and 6660-6670 (irc) proxied connections.
> This won't really hurt anyone as I don't see any reasons
> why anybody would want that. A special "AllowProxyPorts 25 6660-6670"
> directive could then turn those ports open too.
> We could even try to limit it to defaultly allowing only
> the proxying of port 80 and 443 and denying the rest for instance.

Bill Wrowe is a fan of the last idea.  I'm neutral about making it the
default, but I think it would be good to make it configurable.

You should be specific here, however.  We are talking about a directive
that would allow *outgoing* proxy connections only on specific ports.  For
example
AllowForwardProxy 80 8080 8888

Joshua.

RE: Spam Using SMTP "Over" HTTP-Proxy

[Jeroen Massar <je...@unfix.org>]

-----BEGIN PGP SIGNED MESSAGE-----

Joshua Slive [mailto:joshua@slive.ca] wrote:

> I don't think that is feasible.  There are MANY ways to do 
> access control in apache.
> 
> Sending a message along the lines of "Your server is 
> configured to proxy requests to arbitrary servers." whenever ProxyRequests is On 
> would be a possibility.

That would indeed help, but how many redhat/debian/... read
the logs when it works ?

Requiring a "IKnowIAmOperatingAOpenProxy" flag that needs to
be set explicitly would be a better idea then :)

Seriously, we could add a default deny for outgoing port
25 (smtp) and 6660-6670 (irc) proxied connections.
This won't really hurt anyone as I don't see any reasons
why anybody would want that. A special "AllowProxyPorts 25 6660-6670"
directive could then turn those ports open too.
We could even try to limit it to defaultly allowing only
the proxying of port 80 and 443 and denying the rest for instance.

Greets,
 Jeroen

-----BEGIN PGP SIGNATURE-----
Version: Unfix PGP for Outlook Alpha 13 Int.
Comment: Jeroen Massar / jeroen@unfix.org / http://unfix.org/~jeroen/

iQA/AwUBP1ePfCmqKFIzPnwjEQKGWACffesaa690wCAFBWKxF4ae7IjeICIAn1e5
9dvAvWU3n9iGcLFTeiYxuphu
=Aj1Q
-----END PGP SIGNATURE-----

Re: Spam Using SMTP "Over" HTTP-Proxy

[Joshua Slive <jo...@slive.ca>]

On Tue, 2 Sep 2003, Chris Knight wrote:

> Joshua Slive wrote:
>
> >I think we've done pretty-much all we can.  I wouldn't mind putting a
> >little note on the httpd.apache.org homepage saying "Have you secured your
> >proxy?" and point to the correct docs.
> >
> >
> What about sending a warning message to stderr/error_log upon startup if
> the proxy is not access controlled?

I don't think that is feasible.  There are MANY ways to do access control
in apache.

Sending a message along the lines of "Your server is configured to proxy
requests to arbitrary servers." whenever ProxyRequests is On would be a
possibility.

> ...HTTPS proxying is even worse and could be used to mount a variety of
> TCP attacks.

The AllowConnect directive restricts that.

Joshua.