0

I'm using Apache 2.4 as a reverse proxy and according to this post, I have no use for the HTTP CONNECT method. So I tried disabling proxy_connect module when I built Apache using configure (static) option.

$ ./apachectl -v
Server version: Apache/2.4.29 (Unix)
Server built:   Feb  8 2018 12:40:42

$ ./apachectl -M
Loaded Modules:
 core_module (static)
 authn_core_module (static)
 authz_host_module (static)
 authz_core_module (static)
 access_compat_module (static)
 socache_shmcb_module (static)
 so_module (static)
 http_module (static)
 mime_module (static)
 log_config_module (static)
 log_debug_module (static)
 env_module (static)
 headers_module (static)
 setenvif_module (static)
 proxy_module (static)           ###########
 proxy_http_module (static)      ###########
 proxy_balancer_module (static)  ###########
 slotmem_shm_module (static)
 ssl_module (static)
 lbmethod_byrequests_module (static)
 lbmethod_bytraffic_module (static)
 lbmethod_bybusyness_module (static)
 lbmethod_heartbeat_module (static)
 mpm_event_module (static)
 unixd_module (static)
 rewrite_module (static)

As you can see I have enabled only: proxy, proxy_http and proxy_balancer modules.

However, when I run nmap scan, it reports a 400 (Bad Request) for CONNECT when I was expecting 405 (Method Not Allowed).

$ nmap -p 443 --script http-methods --script-args 'http-methods.test-all=true,http-methods.retest=1' 10.x.x.xxx

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-09 17:23 EST
Nmap scan report for serverA (10.x.x.xxx)
Host is up (0.00013s latency).

PORT    STATE SERVICE
443/tcp open  https
| http-methods: 
|   Supported Methods: TRACE GET HEAD POST CONNECT
|   Potentially risky methods: TRACE CONNECT
|   Status Lines: 
|     POST: HTTP/1.1 302 Moved Temporarily
|     HEAD: HTTP/1.1 302 Moved Temporarily
|     CONNECT: HTTP/1.1 400 Bad Request
|     GET: HTTP/1.1 302 Moved Temporarily
|_    TRACE: HTTP/1.1 405 Method Not Allowed

Nmap done: 1 IP address (1 host up) scanned in 0.79 seconds

This is what I have at the beginning of apache/conf/extra/httpd-vhosts.conf:

<VirtualHost *:443>
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
  RewriteRule .* - [R=405,L]

This is what is shown is Apache access log for the nmap scan:

[09/Feb/2018:17:29:47 -0500] "OPTIONS / HTTP/1.1" 405 225
[09/Feb/2018:17:29:47 -0500] "CBZF / HTTP/1.1" 405 222
[09/Feb/2018:17:29:47 -0500] "GET / HTTP/1.1" 302 109
[09/Feb/2018:17:29:47 -0500] "HEAD / HTTP/1.1" 302 -
[09/Feb/2018:17:29:47 -0500] "POST / HTTP/1.1" 302 109
[09/Feb/2018:17:29:47 -0500] "OPTIONS / HTTP/1.1" 405 225
[09/Feb/2018:17:29:47 -0500] "DELETE / HTTP/1.1" 405 224
[09/Feb/2018:17:29:47 -0500] "PUT / HTTP/1.1" 405 221
[09/Feb/2018:17:29:48 -0500] "CONNECT / HTTP/1.1" 400 226
[09/Feb/2018:17:29:48 -0500] "TRACE / HTTP/1.1" 405 223

I'm happy with everything except the 400 status for CONNECT.

Is there a way I can make Apache return 405 or 501 status for CONNECT?

Say No To Censorship
  • 291
  • 4
  • 5
  • The thing about CONNECT is that ir requires specific parameters, you don't CONNECT to /, you connect to a third external url, so in order to get your desired 405 chances are you need to construct your request correctly first. Worth checking the RFC and examples regarding this. – Daniel Ferradal Feb 12 '18 at 17:22
  • @ezra When nmap sends a random method like 'CBZF' Apache returns 405. I'm expecting similar behavior for CONNECT (assuming it's disabled correctly) irrespective of the URL/Parameters. Maybe the behavior changed from Apache 2.2 to 2.4 (please the link to the 2.2 post on the first line). Ok, I will check the RFC also. – Say No To Censorship Feb 12 '18 at 17:31
  • what you expect and what the RFC says on how each request should be dealt with might be different, that's why I suggested checking RFC and examples. So try to abstract yourself in this case from what you want and try to focus instead of what applies to this specific case. – Daniel Ferradal Feb 12 '18 at 17:41
  • 1
    As an added note, I launched a CONNECT to a httpd test server with the correct syntax and I got 405. – Daniel Ferradal Feb 12 '18 at 17:42
  • It is true to that due to a CVE httpd became more strict by default checking requests in a recent version. So worth checking if playing with [httpprotocoloptions](http://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions) suits what you are looking for, although I'm not sure if this will apply. – Daniel Ferradal Feb 12 '18 at 17:58
  • You're right I see `"CONNECT localhost:9001 HTTP/1.1" 405 225` in Apache access log. I think nmap is using default URL ('/') if I don't supply anything. – Say No To Censorship Feb 12 '18 at 22:09

0 Answers0