Home / server / Questions / 60002
Accepted
Chris_K
Asked: 2009-08-29 06:34:01 +0800 CST

mod_proxy -- should I be nervous?

  • 772

To the best of my knowledge, I have all the mod_proxy stuff disabled on my Apache production server. What's a reasonable way to test or confirm that? Looking at my httpd.conf I can tell you that any line that has "proxy" in it is commented, for what that's worth.

Reason I ask is that I saw this stuff in my logwatch report this morning:

 Connection attempts using mod_proxy:
   81.88.124.30 -> 64.12.202.116:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.15:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.1:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.22:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.29:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.36:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.43:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.50:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.8:443: 1 Time(s)

 Requests with error response codes
   403 Forbidden
      64.12.202.116:443: 1 Time(s)
      64.12.202.15:443: 1 Time(s)
      64.12.202.1:443: 1 Time(s)
      64.12.202.22:443: 1 Time(s)
      64.12.202.29:443: 1 Time(s)
      64.12.202.36:443: 1 Time(s)
      64.12.202.43:443: 1 Time(s)
      64.12.202.50:443: 1 Time(s)
      64.12.202.8:443: 1 Time(s)

Not something that's normally in my reports. So it looks like he got 403'd on the attempts, which I guess is good. But what made him feel it was worth a try?

apache-2.2 security mod-proxy

5 Answers

  1. Best Answer

    Maybe he/she/it was trying to figure out if it was worth a try. It costs them nothing to just send a proxy request to a server and see if it works, so usually they send out these requests indiscriminately.

    FYI one surefire way to make sure mod_proxy is disabled is to make sure the line

    LoadModule mod_proxy.so proxy_module

    is commented out. It should only occur in the configuration files once, but it wouldn't hurt to grep for it to make sure. Also, you can run

    apache2ctl -M

    (or perhaps some equivalent for your system, on mine it's /etc/init.d/apache2 modules) to list the loaded modules and verify that the proxy module is not in the list.

    • 7

  2. To test to make sure you're not an open proxy, just telnet to port 80, and send:

    GET http://www.google.com/ HTTP/1.0

    (you need two two line returns at the end, but it's being eaten). You should get back a 404 page. If you get back Google, you're open.

    • 2

  3. On Apache 2.x by default even if the mod_proxy module is enabled, proxying is disabled via the following directive default value;

    ProxyRequests Off

    If you set it to On then you are an open proxy - otherwise AFAIK you should be safe.

    https://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxyrequests

    • 2

  4. You can have ProxyRequests off, mod_proxy not loaded, and still get a 200 response. I ran across a configuration on a client's web server that caused this behavior - the default virtualhost had an .htaccess directive that sent all requests through a php script, and the 'page not found' page returned a 200 response code. You could request literally anything and never get a 404 error. Not an ideal situation, but not an open proxy either. It's hell on search engine indexers.. LOL

    • 1

  5. FWIW, the best way to ensure that it is not loaded is by deleting the module from your drive and then re-starting apache.

    • 0