problem with mod_proxy/mod_rewrite being used for the front-end proxy

[Greg Stark <gs...@mit.edu>]

This isn't entirely on-topic but it's a solution often suggested for mod_perl
users so I suspect there are other users here being bitten by the same
problems. In fact the manner in which problems manifest are such that it's
possible that many mod_perl users who are using mod_rewrite/mod_proxy to run
a reverse proxy in front of their heavyweight perl servers have a security
problem and don't even know it.

The problem is that the solution written in the mod_rewrite guide for a
reverse proxy doesn't work as advertised to block incoming proxy requests. 

RewriteRule    ^(http|ftp)://.*          -  [F]

This is supposed to block incoming proxy requests that aren't specifically
created by the rewrite rules that follow. 

The problem is that both mod_rewrite and mod_proxy have changed, and this
seems to no longer catch the incoming proxy requests. Instead mod_rewrite
seems to see just the path part of the URI, ie, /foo/bar/baz.pl without the
http://.../. 

I've even tried using ${THE_REQUEST} which actually matches, and says it's
forcing the response to be forbidden, then it happily proxies the request
anyways!


I'm using a
 <Directory proxy:*> 
  deny from all
 </Directory>
 <Directory proxy:http://127.0.0.1/>
  allow from all
 </Directory>


section to at least avoid being an open proxy to the outside world, but I
cannot find any way in 1.3.12 to refuse all proxy requests coming from the
outside.

If you're not aware of the problem at all and have merely followed the advice
of the mod_rewrite guide you are probably an open proxy, allowing attackers to
use your web server to attack other sites anonymously.

-- 
greg