0

I had a cloud server with two ip, and each ip is configured respectively with apache and wildfly server. In each of them there are some domain/vhost setup in production.

Checking the apache access log (and also widlfy log on the same cloud) I see many HTTP CONNECT request like them:

192.99.xxx.xxx - - [21/Jun/2019:09:58:03 +0200] "CONNECT www.instagram.com:443 HTTP/1.1" 200 - "-" "-"

118.24.xxx.xxx - - [21/Jun/2019:09:59:20 +0200] "CONNECT api.zxkjj.cn:443 HTTP/1.1" 200 - "-" "Python/3.6 aiohttp/3.4.4"

and so on..

Are some try to hack my server? Why I received them? And.. How to block it without write iptables rules for each domain or ip?

Additional Info: I wish to block the unwanted request directly from apache configuration. Dropping request with mod_security will be the best instead of http 403.

My httpd.conf is very simple:

A default virtual host with following setup:

<VirtualHost _default_:*>
    ServerName catchall
<Location />
Deny from all
  Options None
</Location>
</VirtualHost>

and a second virtualhost with following setup:

<VirtualHost myserverip:80>
    DocumentRoot "/var/www/mydir"
    ServerName www.mydomain.com

SSLProxyEngine on
ProxyRequests Off
    <Directory "/var/www/mydir">
        Options FollowSymLinks
        AllowOverride All
        Order deny,allow
        Allow from all
     </Directory>

<Proxy *>
   Order Deny,Allow
   Deny from all
   Allow from www.mydomain.com
</Proxy>
</VirtualHost>

but I continue to get request in the second virtual host as explained in my first question.

Where am I wrong?

Giuseppe
  • 1
  • 1

2 Answers2

1

It may well be that this server was put on a proxy list, because someone actually detected an open proxy on it.

The fact that CONNECT returns status 200 instead of status 405 is a good/bad indicator of this. If this server is not intended to proxy http requests then DISABLE the mod_proxy module in Apache.

If Apache works as a reverse proxy for Wildfly then at least disable mod_proxy_connect. If RewriteRule [P] is used for reverse proxying then check that it can only proxy to the Wildfly instance and not to random domain, for example by catching the HTTP_HOST variable and putting it in the RewriteRule like RewriteRule /wildfly https://%1/ [P] or something like that.

Gerrit
  • 1,552
  • 8
  • 8
0

No, this is not attempt to hack your server. This is attempt to use your apache server as proxy. What you can do is to disable in apache config the CONNECT method:

With rewrite engine:

RewriteCond %{REQUEST_METHOD} ^(OPTIONS)
RewriteRule .* - [F]

Via Allow/Deny (using this answer):

<Proxy *>
   Order Deny,Allow
   Deny from all
   Allow from yournetwork.example.com
</Proxy>
Romeo Ninov
  • 5,263
  • 4
  • 20
  • 26
  • Thank you guys for your responses I'm not using apache as proxy for wildfly. Simply apache works for php project and wildfly for java ones. I try to off the mod_proxy in the apache but it can't work. the CONNECT request in the access log go on.. – Giuseppe Jun 21 '19 at 10:03
  • @Giuseppe, try with rewrite rule – Romeo Ninov Jun 21 '19 at 10:16
  • I wish to block the unwanted request directly from apache configuration. Dropping request with mod_security will be the best instead of http 403. My httpd.conf is very simple: A default virtual host with following setup: ServerName catchall Deny from all Options None – Giuseppe Jun 24 '19 at 14:36