1

My setup details:

  • OS : RHEL7
  • Webserver : Apache http server(SSL enabled)
  • AppContainer : NodeJS
  • Webserver connects to NodeJS via mod_proxy.

I blocked the connect method in apache http server using below config. But still the connect method vulnerability persists. Do I need to do anything on NodeJS side?

RewriteCond %{REQUEST_METHOD} !^(GET|POST|PUT|DELETE|HEAD)
RewriteRule .* - [R=405,L]

Fred
  • 11
  • 3

1 Answers1

1

The most common reason for generic problem like this is not enabling mod_rewrite with RewriteEngine on in the context you RewriteRule was placed.

However even if that is the case, I would suggest using <Limit> or <LimitExcept> blocks, or even better do not load mod_proxy_connect at all so that the CONNECT method has no way of being used. If it's handled by you app of course, that would also need disabling.

Additional information after comments:

Do not modify the <Directory /> block that comes with your configuration, it should be left as is.

Also, do not (as I said in my comments) put the <Limit> block inside another block (in your case a <Directory> block. Configuration directives in a <Directory> block only take effect if the request is mapped to the file system, but you are proxying / to another service on example.com, which means no requests are mapped to the file system and so your <Limit> block will never take effect.

Unbeliever
  • 2,336
  • 1
  • 10
  • 19
  • Thanks for the suggestion. I will try "LimitExcept" and let u know the result. – Fred Oct 30 '16 at 13:34
  • I tried to block the CONNECT method by using and . But it didn't work. I suppose it has to be blocked on NodeJS side. Any help please? – Fred Nov 07 '16 at 07:20
  • The idea is fine. If it is not working then most likely you have the directives in the wrong context, or have conflicting configuration. If all requests hit Apache first, you don't need to block it at the NodeJS level as Apache can simply reject the request. Since you are proxying they should be in the Virtualhost or Server context. – Unbeliever Nov 07 '16 at 07:44
  • Sure. Let me try with a virtualhost. Please let me know what is meant by Server context? Also, is there an easy way to verify if CONNECT method is disabled or not. At present I am scanning the server each time, which is a tedious task. – Fred Nov 07 '16 at 08:06
  • You should get a 405 if it is successfully disabled. The *server context* means not inside any ``, ``, or similar blocks. more details here: http://httpd.apache.org/docs/current/mod/directive-dict.html#Context – Unbeliever Nov 07 '16 at 08:47
  • Virtualhost is not required for my app, which is the only app running on that port. This is how I am implementing under server context. Please let me know if I need to make any changes. `ProxyPass / http://example.com:4000/ ProxyPassReverse / http://example.com:4000/ Require all denied ` – Fred Nov 08 '16 at 09:13
  • Any help here pls? – Fred Nov 11 '16 at 13:55
  • As I already said in my previous comment, you need to put the `Limit` block in the correct context, you've put it in a `Directory` block which will only work if the request is mapped to the file system. In your case, since you are proxying, you need to use a `Location` block. – Unbeliever Nov 12 '16 at 09:03