4

I'm using Apache as reverse proxy for several different projects. PCI-DSS compliance scanning shows that my Apache is having HTTP CONNECT method enabled.

as stated on Acunetix's site - http://www.acunetix.com/vulnerabilities/apache-proxy-http-connect-metho/

As far as I know, CONNECT is used by the web server to tunnel SSL to application server.

Any suggestion how should I fix this?

Otherwise, anyone know how should I perform the test if my Apache's HTTP CONNECT method is enabled/disabled?

I don't have much experience in networking nor configuring apache. Correct me if I wrote something silly.

John
  • 91
  • 2
  • 2
  • 7

2 Answers2

4

You only need to allow the CONNECT method when you use a forward proxy configuration, in a reverse proxy configuration you won't even need to enable the connect method.

Apache should be configured to function as the "man-in-the-middle" if you will. Or called a SSL offloader of SSL termination point since the config is not malicious.

Typically apache is configured with your public ssl certificates and the requests that apache forwards to your application server are over plain HTTP. If you consider you own LAN hostile you can forward over HTTPS as well, but then apache will establish a second HTTPS connection.

<VirtualHost 1.2.3.4:443>
  ServerName www.example.com
  SSLEngine on
  SSLCertificateFile /some/path/to/public.cert
  SSLCertificateKeyFile /some/path/to/key
  ProxyPass /app http://appserver.int.example.com/app
  ProxyPassReverse /app http://appserver.int.example.com/app
</VirtualHost>

Or alternatively:

  ProxyPass /app https://appserver.int.example.com/app
  ProxyPassReverse /app https://appserver.int.example.com/app
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • But, the problem is I can't find the "switch" to turn off / disable / disallow CONNECT method in the first place. – John Nov 12 '13 at 08:24
  • 1
    There should be `LoadModule proxy_connect_module modules/mod_proxy_connect.so` in your httpd.conf (or in the conf.d/*.conf includes). Comment that out and restart apache. – HBruijn Nov 12 '13 at 08:51
  • Thanks!, this is actually working. The reason I keep getting back the same vulnerability from our scanning provider is due to our network's configuration. – John Dec 09 '13 at 09:10
  • I'm building Apache 2.4 by loading required modules statically, I'm getting a "CONNECT: HTTP/1.1 400 Bad Request" instead of 405 (Method Not Allowed) error code using nmap scan even though I've disabled "mod_proxy_connect" during the build. Any idea what could be the problem here? – Say No To Censorship Feb 08 '18 at 18:04
1

What the site suggest is that you restrict who can do the CONNECT. Basically you can read about this in the <Proxy> configuration of your host.

Something like this might work, and stolen from the link above:

<Proxy *>
   Order Deny,Allow
   Deny from all
   Allow from yournetwork.example.com
</Proxy>

This will allow access from yournetwork.example.com only. You can enter and IP range as well as host. Also Controlling access to your proxy might be a good read.

If you have mod_proxy_connect loaded you can assume CONNECT is enabled. If you only want to use a reverse proxy you could probably unload this module all together.

Hope this get you forward.

Qben
  • 248
  • 4
  • 9
  • I actually have some trouble in getting that to work because I have no idea which network to allow as the web server is accessed by the public. Furthermore, it is configured to tackle forward proxy. – John Nov 12 '13 at 08:37
  • I'm building Apache 2.4 by loading required modules statically, I'm getting a "CONNECT: HTTP/1.1 400 Bad Request" instead of 405 (Method Not Allowed) error code using nmap scan even though I've disabled "mod_proxy_connect" during the build. Any idea what could be the problem here? – Say No To Censorship Feb 08 '18 at 18:04