6

To the best of my knowledge, I have all the mod_proxy stuff disabled on my Apache production server. What's a reasonable way to test or confirm that? Looking at my httpd.conf I can tell you that any line that has "proxy" in it is commented, for what that's worth.

Reason I ask is that I saw this stuff in my logwatch report this morning:

 Connection attempts using mod_proxy:
   81.88.124.30 -> 64.12.202.116:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.15:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.1:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.22:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.29:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.36:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.43:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.50:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.8:443: 1 Time(s)

 Requests with error response codes
   403 Forbidden
      64.12.202.116:443: 1 Time(s)
      64.12.202.15:443: 1 Time(s)
      64.12.202.1:443: 1 Time(s)
      64.12.202.22:443: 1 Time(s)
      64.12.202.29:443: 1 Time(s)
      64.12.202.36:443: 1 Time(s)
      64.12.202.43:443: 1 Time(s)
      64.12.202.50:443: 1 Time(s)
      64.12.202.8:443: 1 Time(s)

Not something that's normally in my reports. So it looks like he got 403'd on the attempts, which I guess is good. But what made him feel it was worth a try?

Chris_K
  • 3,444
  • 6
  • 43
  • 45

5 Answers5

7

Maybe he/she/it was trying to figure out if it was worth a try. It costs them nothing to just send a proxy request to a server and see if it works, so usually they send out these requests indiscriminately.

FYI one surefire way to make sure mod_proxy is disabled is to make sure the line

LoadModule mod_proxy.so proxy_module

is commented out. It should only occur in the configuration files once, but it wouldn't hurt to grep for it to make sure. Also, you can run

apache2ctl -M

(or perhaps some equivalent for your system, on mine it's /etc/init.d/apache2 modules) to list the loaded modules and verify that the proxy module is not in the list.

David Z
  • 5,475
  • 2
  • 25
  • 22
  • Thanks for the reply. I bet phpinfo() would list the modules too, wouldn't it? I'd forgotten about the obvious... :) – Chris_K Aug 28 '09 at 14:48
  • For CentOS, apachectl -M did the trick. No modules with "proxy" in their names. – Chris_K Aug 28 '09 at 18:19
  • I'm not sure if phpinfo() lists Apache modules, but you could try it and check. (You _can_ get the module list using `mod_status`, usually at something like `http://localhost/server-status` if the status module is enabled) – David Z Aug 29 '09 at 02:41
  • How about if I want to have mod_proxy enabled but that it is limited who can access it? e.g. Using an Apache web server as frontend and connecting with mod_proxy to a backend (Tomcat/Jetty/...) – ssasa Oct 02 '13 at 06:47
  • @ssasa there are configuration directives for Apache that will let you restrict what sorts of proxy requests are allowed. But that's outside the scope of this question. The documentation for mod_proxy, and other questions on this site, should help you out there. – David Z Oct 02 '13 at 06:53
2

On Apache 2.x by default even if the mod_proxy module is enabled, proxying is disabled via the following directive default value;

ProxyRequests Off

If you set it to On then you are an open proxy - otherwise AFAIK you should be safe.

https://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxyrequests

jaywink
  • 121
  • 3
2

To test to make sure you're not an open proxy, just telnet to port 80, and send:

GET http://www.google.com/ HTTP/1.0

(you need two two line returns at the end, but it's being eaten). You should get back a 404 page. If you get back Google, you're open.

Joe H.
  • 1,917
  • 12
  • 13
  • Hmmm... --------------------------------------- Connected to mysite.com (a.b.c.1). Escape character is '^]'. GET http://www.google.com/ HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 28 Aug 2009 18:02:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.1.6 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 Connection closed by foreign host. – Chris_K Aug 28 '09 at 18:03
  • 1
    SO ... I got a 200 back. I think. Based on apachectl -M I don't have any proxy modules. What does this tell us? – Chris_K Aug 31 '09 at 17:00
1

You can have ProxyRequests off, mod_proxy not loaded, and still get a 200 response. I ran across a configuration on a client's web server that caused this behavior - the default virtualhost had an .htaccess directive that sent all requests through a php script, and the 'page not found' page returned a 200 response code. You could request literally anything and never get a 404 error. Not an ideal situation, but not an open proxy either. It's hell on search engine indexers.. LOL

Amy
  • 11
  • 1
0

FWIW, the best way to ensure that it is not loaded is by deleting the module from your drive and then re-starting apache.

sybreon
  • 7,405
  • 1
  • 21
  • 20