Re: mod_proxy - Restrict Outgoing Connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



----- "Hannes" <hannes.flocke@xxxxxx> wrote:

> Hi HTTPD Users,
> 
> I'm using Apache 2.2 on Debian (Kernel 2.6) as a proxy for my web 
> applications .
> 
> So far I got it all working, including SSL and stuff. But when I had a
> 
> look at the access.log, I saw hundreds of (mostly GET) requests to URL
> 
> which are not mine.
> 
> I'm not really sure what this means, but I think some bots are using
> the 
> proxy to access other sites. Can that be?
> 
> I turned
> 
> ProxyRequests Off
> 
> <Proxy *>
>       Order deny,allow
>       Allow from all
> </Proxy>
> 
> 
> With Allow/Deny from all, I can only restrict who can request the
> proxy, 
> but I need to restrict the proxy to only forward request to
> localhost.
> 
> Do I've to do that with iptables or is it possible within Apache?


First and foremost: Are you talking about a reverse proxy, or a forward proxy?

If we're talking about a reverse proxy then:

* ProxyRequests Off is a good thing, and the way it should be.
* in this case the GET requests to foreign URLs should result in
  403s
* <Proxy *> Allow from all -- is the way it should be, unless
  you only want a specific target group to access it.

If we're talking about a forward proxy.

* ProxyRequests needs to be On -- since we're actually a forward proxy
* In this case, the GET requests to foreign URLs will result
  in 100, 20x, 30x results.
* You should limit your forward proxy's visibility via <Proxy *> allow from 127.0.0


The problem with limiting your server on IP level on the firewall is
that it's hard to distinguish between a customer doing a valid request
and one doing a proxy request to a foreign URL -- on IP level, that is.

> thanks!
> Hannes
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

-- 
Igor GaliÄ

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux