Re: mod_proxy - Restrict Outgoing Connections

Hannes <hannes.flocke@xxxxxx> · Mon, 18 Oct 2010 12:04:27 +0200

----- "Hannes" <hannes.flocke@xxxxxx> wrote:

Hi HTTPD Users,

I'm using Apache 2.2 on Debian (Kernel 2.6) as a proxy for my web 
applications .

So far I got it all working, including SSL and stuff. But when I had a

look at the access.log, I saw hundreds of (mostly GET) requests to URL

which are not mine.

I'm not really sure what this means, but I think some bots are using
the 
proxy to access other sites. Can that be?

I turned

ProxyRequests Off

<Proxy *>
      Order deny,allow
      Allow from all
</Proxy>

With Allow/Deny from all, I can only restrict who can request the
proxy, 
but I need to restrict the proxy to only forward request to
localhost.

Do I've to do that with iptables or is it possible within Apache?

First and foremost: Are you talking about a reverse proxy, or a forward proxy?

178.140.66.211 - - [18/Oct/2010:10:26:06 +0200] "GET
http://counter.rambler.ru/top100.cnt?2159955 HTTP/1.1" 404 12750
"http://spyrt.ru" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;"

64.154.21.207 - - [18/Oct/2010:10:26:08 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 500 8308 "-" "Mozilla/7.00 [en] (WinNT; U
;Nav)"

82.83.86.100 - - [18/Oct/2010:12:01:08 +0200] "CONNECT
206.222.227.2:443 HTTP/1.0" 500 8303 "-" "-"

66.178.238.195 - - [18/Oct/2010:12:01:12 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 500 8303 "-" "Mozilla/7.00 [en] (WinNT; U
;Nav)"

64.154.21.207 - - [18/Oct/2010:12:01:15 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 500 8303 "-" "Mozilla/7.00 [en] (WinNT; U
;Nav)"

61.225.129.90 - - [18/Oct/2010:12:01:15 +0200] "GET
http://www.yahoo.com/ HTTP/1.1" 200 4853 "-" "Mozilla/4.0 (compatible;
MSIE 7.0; Windows NT 5.1; EmbeddedWB 14.52 from: http://www.bsalsa.com/
EmbeddedWB 14.52; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"

61.225.129.90 - - [18/Oct/2010:12:01:16 +0200] "CONNECT
edit.yahoo.com:443 HTTP/1.1" 500 8303 "-" "Mozilla/4.0 (compatible;
MSIE 7.0; Windows NT 5.1; Maxthon; Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1) )"

95.21.138.206 - - [18/Oct/2010:12:01:21 +0200] "GET
http://images.google.com/ HTTP/1.1" 200 15488 "-" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media
Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C;
.NET4.0E)"

69.15.164.139 - - [18/Oct/2010:12:01:23 +0200] "CONNECT
login.icq.com:443 HTTP/1.0" 500 8303 "-" "Mozilla/7.00 [en] (WinNT; U
;Nav)"

178.161.129.26 - - [18/Oct/2010:12:01:29 +0200] "GET
http://images.google.com/ HTTP/1.1" 200 15488 "-" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media
Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C;
.NET4.0E)"

If we're talking about a reverse proxy then:

* ProxyRequests Off is a good thing, and the way it should be.
* in this case the GET requests to foreign URLs should result in
  403s
* <Proxy *> Allow from all -- is the way it should be, unless
  you only want a specific target group to access it.

If we're talking about a forward proxy.

* ProxyRequests needs to be On -- since we're actually a forward proxy
* In this case, the GET requests to foreign URLs will result
  in 100, 20x, 30x results.
* You should limit your forward proxy's visibility via <Proxy *> allow from 127.0.0

The problem with limiting your server on IP level on the firewall is
that it's hard to distinguish between a customer doing a valid request
and one doing a proxy request to a foreign URL -- on IP level, that is.

thanks!
Hannes

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx