Re: Preventing an open proxy with both a single SSL virtual host and a non-SSL virtual host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Are those odd requests actually working? From your log it look like they
get a 403 error which is exactly what your configuration is saying should
happen.

- Y

(Had to remove your links so this would get through the spam filter)

On Thu, Feb 13, 2014 at 2:16 AM, Richard Mixon <rnmixon@xxxxxxxxxx> wrote:
>
> We've setup a new Apache server on Centos 6.4, httpd 2.2.15.
>
> The site is running SSL with a single Wordpress virtual host. We do use mod_proxy to forward some requests to back-end systems our CAS authentication system and a couple of other back-end systems we need a limited amount of content from. We've done this often in the past, but this configuration is a bit different.
>
> All was fine until we created a simple (additional) virtual host on port 80 for the sole purpose of redirecting users that forgot to type in the https in the url. After that we started getting flooded with requests such as the following:
>
> 64.120.77.151 - - [13/Feb/2014:00:03:05 -0700] "GET <<<<>>>> HTTP/1.0" 403 283 "<<<<>>>>" "Mozilla/5.0 (Windows NT 7.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30"
>
> We shut the port 80 virtual host down and everything was returned to normal and we started looking for a solution. We came across what appeared to be a couple of excellent articles that addressed the problem:
>
> 1) The "Why do I see requests for other sites appearing in my log files?" section at http://wiki.apache.org/httpd/FAQ
>
> 2) The solution on this posting http://serverfault.com/questions/283200/my-virtualhosts-overlap-and-my-namevirtualhost-has-no-virtualhosts
>
> Well what seemed a nice clear solution has not worked so well. I'm thinking it is because we have both a single SSL virtual host and a (now two) non-SSL host.
>
> Our main httpd.conf file contains:
>   ...
>   ## ***************
>   #Listen 80
>   Listen 443
>   ## ***************
>   ...
>   NameVirtualHost *:80
>   NameVirtualHost *:443
>   ...
>   Include conf/VirtualHost.d/*.conf
>
> then we have what is now a single Virtual Host config file - but was originally three (01-vhost.conf, 02-vhost.conf and 03-vhost.conf), I combined them thinking the ordering might not be correct.
>
> Anyway here's the content of the Virtual hosts config:
>
> # Purpose is to prevent open proxy configuration.
> # This Virtual Host config must be named so it appears first,
> # i.e. 00-default.only.conf
> <VirtualHost *:80>
>     ServerName default.only
>     ErrorLog logs/default.only-error_log
>     CustomLog logs/default.only-access_log combined
>     <Location />
>       Order allow,deny
>       Deny from all
>     </Location>
> </VirtualHost>
>
> # This is the virtual host we really need on port 80
> <VirtualHost *:80>
>     ServerAdmin RNMixon@xxxxxxxxxx
>     DocumentRoot /var/www/community.acmeinc.com
>     ServerName community.acmeinc.com
>     ErrorLog logs/community.acmeinc.com-error_log
>     CustomLog logs/community.acmeinc.com-access_log combined
>
>     ProxyRequests Off
>     ProxyPreserveHost Off
>
>     RewriteCond %{HTTP_HOST} ^community\.acmeinc\.com [NC]
>     RewriteRule / https://community.acmeinc.com/ [L,R,NE]
>
> </VirtualHost>
>
> # This is the main real virtual host
> <VirtualHost *:443>
>     ServerAdmin RNMixon@xxxxxxxxxx
>     ServerName community.acmeinc.com
>     ErrorLog logs/community.acmeinc.com.ssl-error_log
>     CustomLog logs/community.acmeinc.com.ssl-access_log combined
>
>         SSLEngine on
>         SSLProtocol all -SSLv2
>         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>         SSLCertificateFile /etc/pki/tls/certs/community_acmeinc_com.crt
>         SSLCertificateKeyFile /etc/pki/tls/private/community.acmeinc.com.key
>         SSLCertificateChainFile /etc/pki/tls/certs/community_acmeinc_com.ca-bundle
>         SSLProxyEngine On
>         SSLProxyCACertificateFile /etc/tomcat7/tomcat-server.pem
>
>     ProxyRequests On
>     ProxyPreserveHost On
>
>     <Location /cas/>
>       ProxyPass https://community.acmeinc.local:8443/cas/
>       ProxyPassReverse https://community.acmeinc.local:8443/cas/
>     </Location>
>
>     <Proxy https://community.acmeinc.local:8443/cas/>
>       AllowOverride None
>       Order allow,deny
>       Allow from All
>     </Proxy>
>
>     <Location /TicketSales/>
>       ProxyPass http://www.acmeinc.local/TicketSales/
>       ProxyPassReverse http://www.acmeinc.local/TicketSales/
>     </Location>
>
>     <Proxy http://www.acmeinc.local/TicketSales/>
>       AllowOverride None
>       Order allow,deny
>       Allow from All
>     </Proxy>
>
>     <Location /rhythm/>
>       ProxyPass https://community.acmeinc.local:8443/rhythm/
>       ProxyPassReverse https://community.acmeinc.local:8443/rhythm/
>     </Location>
>
>     <Proxy https://community.acmeinc.local:8443/rhythm/>
>       AllowOverride None
>       Order allow,deny
>       Allow from All
>     </Proxy>
>
>     DocumentRoot /var/www/community.acmeinc.com
>     <Directory /var/www/community.acmeinc.com>
>         Options Indexes FollowSymLinks MultiViews
>         AllowOverride all
>         Order allow,deny
>         allow from all
>     </Directory>
>
> </VirtualHost>
>
> Problem - if we uncomment the "Listen 80" directive to let the port 80 virtual hosts work, we become an open proxy again.
>
> Here is the output from a dump of the virtual host config:
>
> /usr/sbin/httpd -t -D DUMP_VHOSTS
> VirtualHost configuration:
> wildcard NameVirtualHosts and _default_ servers:
> *:443                  is a NameVirtualHost
>          default server community.acmeinc.com (/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:30)
>          port 443 namevhost community.acmeinc.com (/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:30)
> *:80                   is a NameVirtualHost
>          default server default.only (/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:4)
>          port 80 namevhost default.only (/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:4)
>          port 80 namevhost community.acmeinc.com (/etc/httpd/conf/VirtualHost.d/01-community.acmeinc.com.conf:15)
> Syntax OK
>
> What am I missing? Any help or hints is greatly appreciated.
>
> Thank you -
>
>
> --
> Richard Mixon
> Custom Computer Creations, L.L.C.
> mobile: (480) 577-6834 office: (480) 614-3442
> email: rnmixon@xxxxxxxxxx <mailto:rnmixon@xxxxxxxxxx>
> Microsoft Partner ID: 1263725
> The messages and documents transmitted with this notice contain confidential information belonging to the sender. If you are not the intended recipient of this information, you are hereby notified that any disclosure, copying, distribution or use of the information is strictly prohibited. If you have received this transmission in error, please notify the sender immediately.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux