Secure Apache when using mod_proxy_http and mod_rewrite

Question

We have an Apache server that works as a proxy for apps running on different ports. For example:

domain.com/app1/service1  >  localhost:101
domain.com/app1/service2  >  localhost:102
domain.com/app2/service1  >  localhost:201

Rules to determine application port are rather complex so I use a script to do that using mod_rewrite:

RewriteEngine On
RewriteMap mapper prg:/foler/rewriteUrl.sh
RewriteRule ^(.*)$ ${mapper:%{REQUEST_URI}} [P]

The problem I'm having is that looking at the logs, there are a lot of request from bots getting content from other web sites. I tested if I could proxy content from other servers and I could:

telnet domain.com 80
GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com

Here I get content from Yahoo, which means that anyone can connect to my server and start making requests to other servers.

I've seen that Apache recommends to secure your proxy as stated here:

http://httpd.apache.org/docs/trunk/mod/mod_proxy.html#access

But the problem is that I don't know what IPs will use my server in advanced, so my question is how to solve this issue while at the same time anyone can make request to my apps?

Some additional information:

• All my apps are in the same machine as my Apache server
• If I need to move my apps to different servers, they are going to still be on my Intrantet
• I have mod_proxy, mod_proxy_http and mod_rewrite enabled

Thanks

Answer 1

If I understand correctly what you are doing, you don't need a forward proxy, but a gateway, because all you are proxying are requests from the WAN to the intranet, i.e. a reverse proxy, why don't just disable ProxyRequest?

ProxyRequest Off

ProxyRequests Directive

This allows or prevents Apache httpd from functioning as a forward proxy server. (Setting ProxyRequests to Off does not disable use of the ProxyPass directive.)

In a typical reverse proxy or gateway configuration, this option should be set to Off.