0

I've been trying to setup apache (port 80) as a reverse proxy to a nodejs server (port 3000) and I made the mistake of launching my apache server with ProxyRequests On. I discovered this error after hundreds of thousands of spam proxy requests ballooned the access.log file and my small 8GB dev server crashed with no disk space. Now I'm trying to figure out the proper way to secure my virtual host.

My virtualhost config to route all requests from port 80 to 3000 (my nodejs server)

<VirtualHost *:80>
    ServerName www.example.com
    ServerAlias example.com

    DocumentRoot /var/www/path-to-my-site

    ProxyRequests Off
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
    ProxyTimeout 60
</VirtualHost>

I think this config should work but I'm not sure how to verify it. I start apache and I still requests like these (none of these are my domain). 

208.115.232.246 - - [04/May/2020:11:06:03 -0400] "CONNECT bcqapi.muuky.cc:8043 HTTP/1.1" 502 383
208.115.232.246 - - [04/May/2020:13:29:27 -0400] "GET http://finalcheat.pw/ HTTP/1.1" 200 9368 
91.199.118.175 - - [04/May/2020:11:06:04 -0400] "GET http://205.198.7.143/ HTTP/1.1" 200 9368 
91.199.118.175 - - [04/May/2020:11:06:04 -0400] "GET http://205.198.7.143/ HTTP/1.1" 200 9368 
91.199.118.175 - - [04/May/2020:11:06:04 -0400] "GET http://205.198.7.143/ HTTP/1.1" 404 1089
208.115.232.250 - - [04/May/2020:11:06:13 -0400] "CONNECT www.hg77733.net:443 HTTP/1.1" 502 383
208.115.232.206 - - [04/May/2020:12:26:24 -0400] "GET http://www.7mx1.com/user/signup/ HTTP/1.1" 403 214

I would expect the server to hand out 502 and 403 errors to these requests but the 200 and 404 errors concern me. Doesn't that imply those requests were accepted by the server and my server is still insecure? If so how do I prevent requests from other domains?

If my config is secure, is there a way to prevent logging these requests altogether so I don't run out of disk space?

Dan
  • 3
  • 1

1 Answers1

0

You have two concepts mixed up - proxy requests and plain requests with random or forged hostname. Little explanation to answer your question is needed.

Plain HTTP request have "Host: " header which is always filled with something. If your browser want to see example1.com - it resolve its address and connect to this address with HTTP request with "Host: example1.com" header. This server can host both example1.com and example2.com, so anytime Apache will know which domain was really requested and behave different. This have nothing with proxying, its just the way HTTP works and there is no restriction to put whatever in Host header. The main point is that in this scenario web server is intended to serve this request by itself.

Proxy HTTP requests is when client connect to server and use Proxy headers, assuming server is there for proxying, not for webpage serving. Although, the main point that this time server is intended to relay request to someone else.

ProxyPass and ProxyPassReverse is something mixing it all up. Its called transparent proxy when web server is intended to serve the request by itself, but relay this request to someone else and this is the way you using it now. In this scenario the request was not of type proxy but server behaved like proxy. The main point is that server behaved as a proxy not because of request, but because of configuration administrator supplied and also client have no idea that this request was proxied.

Based on experience I can say those requests are not anyhow connected with your mistake with ProxyRequests. Any possible public IP address is always tested with any possible exploits from all over the world. Only CONNECT records can be treated as someone still think you have open proxy server.

So, answering your questions:

  1. Why you still not answering 404 or 502 on all requests? Because there are nobody checking Host headers. Nodejs (most probably) do not care which Host was requested and your Apache configuration put all requests in one virtual host checking it neither. It will be better if you will limit responses to the real name you want to serve:
ProxyRequests Off
<VirtualHost *:80>

    # Dumb landing site

    DocumentRoot /var/www/landing # This directory should contain small index.html with "Domain not configured"

</VirtualHost>
<VirtualHost *:80>

    # Real site answering only on my.server.net

    DocumentRoot /var/www/path-to-my-site
    ServerName my.server.net
    ServerAlias www.my.server.net
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
    ProxyTimeout 60

</VirtualHost>

For being sure - try to call any public service by its IP - most likely you will get "Domain not configured" error simple page. This how you can be sure that your nodejs will get no misconfigured requests and less amount of harmful ones.

  1. Can you remove those requests from logs? Maybe, but its strongly recommended not to do so. Because if someone would like to DDoS you or you will have another disaster - you will have much less options to discover this. But you may define different log-files for different virtual hosts so most trash will go to the log of landing virtual host.

  2. Running out of disk space. Any public web server will have tons of trash in logs, so you always should consider log rotation.

  3. If your config is secure? That depends. First yes - you have disabled proxy requests if you checked "ProxyRequests" directive in all Apache configs. Second - no, its generally not a good thing to pass / to any server, better passing needed context instead (like /app only), but this depends on what requests this nodejs server should serve. Third no - you should consider using https just to be sure no existing session data can be compromised, this also depends.

kab00m
  • 498
  • 3
  • 10