Re: mod_proxy - Restrict Outgoing Connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Igor,

First, thanks for the fast response!
----- "Hannes" <hannes.flocke@xxxxxx> wrote:

  
Hi HTTPD Users,

I'm using Apache 2.2 on Debian (Kernel 2.6) as a proxy for my web 
applications .

So far I got it all working, including SSL and stuff. But when I had a

look at the access.log, I saw hundreds of (mostly GET) requests to URL

which are not mine.

I'm not really sure what this means, but I think some bots are using
the 
proxy to access other sites. Can that be?

I turned

ProxyRequests Off

<Proxy *>
      Order deny,allow
      Allow from all
</Proxy>


With Allow/Deny from all, I can only restrict who can request the
proxy, 
but I need to restrict the proxy to only forward request to
localhost.

Do I've to do that with iptables or is it possible within Apache?
    


First and foremost: Are you talking about a reverse proxy, or a forward proxy?
  
I'm not sure about the names, but I think I'm using it as a reverse proxy. I'm using ProxyPass and ProxyPassReverse to integrate my web application with Apache.

Here's some output from the access log:
178.140.66.211 - - [18/Oct/2010:10:26:06 +0200] "GET http://counter.rambler.ru/top100.cnt?2159955 HTTP/1.1" 404 12750 "http://spyrt.ru" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;"
64.154.21.207 - - [18/Oct/2010:10:26:08 +0200] "CONNECT login.icq.com:443 HTTP/1.0" 500 8308 "-" "Mozilla/7.00 [en] (WinNT; U ;Nav)"
82.83.86.100 - - [18/Oct/2010:12:01:08 +0200] "CONNECT 206.222.227.2:443 HTTP/1.0" 500 8303 "-" "-"
66.178.238.195 - - [18/Oct/2010:12:01:12 +0200] "CONNECT login.icq.com:443 HTTP/1.0" 500 8303 "-" "Mozilla/7.00 [en] (WinNT; U ;Nav)"
64.154.21.207 - - [18/Oct/2010:12:01:15 +0200] "CONNECT login.icq.com:443 HTTP/1.0" 500 8303 "-" "Mozilla/7.00 [en] (WinNT; U ;Nav)"
61.225.129.90 - - [18/Oct/2010:12:01:15 +0200] "GET http://www.yahoo.com/ HTTP/1.1" 200 4853 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; EmbeddedWB 14.52 from: http://www.bsalsa.com/ EmbeddedWB 14.52; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
61.225.129.90 - - [18/Oct/2010:12:01:16 +0200] "CONNECT edit.yahoo.com:443 HTTP/1.1" 500 8303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )"
95.21.138.206 - - [18/Oct/2010:12:01:21 +0200] "GET http://images.google.com/ HTTP/1.1" 200 15488 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"
69.15.164.139 - - [18/Oct/2010:12:01:23 +0200] "CONNECT login.icq.com:443 HTTP/1.0" 500 8303 "-" "Mozilla/7.00 [en] (WinNT; U ;Nav)"
178.161.129.26 - - [18/Oct/2010:12:01:29 +0200] "GET http://images.google.com/ HTTP/1.1" 200 15488 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"

If we're talking about a reverse proxy then:

* ProxyRequests Off is a good thing, and the way it should be.
* in this case the GET requests to foreign URLs should result in
  403s
* <Proxy *> Allow from all -- is the way it should be, unless
  you only want a specific target group to access it.
  
Most of time the requests end in a 500/404 but sometime in 200 (ok). But I think that's the response from the foreign site, or?

Do you've any idea, how I can check, if this stuff is going out?

thanks.
If we're talking about a forward proxy.

* ProxyRequests needs to be On -- since we're actually a forward proxy
* In this case, the GET requests to foreign URLs will result
  in 100, 20x, 30x results.
* You should limit your forward proxy's visibility via <Proxy *> allow from 127.0.0


The problem with limiting your server on IP level on the firewall is
that it's hard to distinguish between a customer doing a valid request
and one doing a proxy request to a foreign URL -- on IP level, that is.

  
thanks!
Hannes

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    

  


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux