Home / server / Questions / 75502
In Process
brad
Asked: 2009-10-18 07:08:40 +0800 CST

mod_proxy security

  • 772

I'm on Debian Lenny using apache2. in my proxy.conf I tried adding 

Allow from localhost

as suggested in some other forums to get proxying to work. Didn't work. It only worked if I say 

Allow from all

My question is this. Are there any security implications to this Allow from all directive? Most people were saying to make this as limited as possible, but "all" is the client right? I want anyone regardless of their IP to be forwarded properly. Is there a better way to configure this?

security

2 Answers

  1. So the answer is allowing proxy at the top from the whole world puts you back to apache1.3 level of security, which is fine if you're careful about using mod_proxy.

    Here's how I do proxy's in apache2.2 to retain the careful restrictions, in this case a proxy to my APT cache:

    <VirtualHost *:80>
        Servername apt.lan

        ProxyPass               / http://127.0.0.1:1723/
        ProxyPassReverse        / http://127.0.0.1:1723/

        <Proxy http://127.0.0.1:1723/>
                Order allow,deny
                Deny from none
                Allow from all
        </Proxy>
</VirtualHost>

    Obviously only the "Proxy" lines and block are relevant to the question, but I thought I should include a full example.

    • 1

  2. I think I'd need to know a bit more about your configuration. "ProxyRequests" is the critical directive. it determines if your server will act as an HTTP proxy. if so, this is a serious security risk because anyone can connect to the web through your server. I'm sure people are scanning for this kind of hole regularly.

    however, if your ALLOW rule is in a "Directory" or "Location" directive, it's probably less of an issue, as long as you want that directory to be accessible by the internet.

    • 0