Processed: Bug#1054564 marked as pending in apache2

2023-10-25 Thread Debian Bug Tracking System 
Processing control commands:

> tag -1 pending
Bug #1054564 [apache2] apache2: mod_proxy_connect insecure default server-wide 
AllowCONNECT value
Added tag(s) pending.

-- 
1054564: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054564
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1054564: apache2: mod_proxy_connect insecure default server-wide AllowCONNECT value

2023-10-25 Thread Raphaël Droz 
Package: apache2
Version: 2.4.56-1~deb11u2
Severity: normal
X-Debbugs-Cc: raphael.d...@gmail.com

Dear Maintainer,

# Context

For years, one of my SSL vhost (on :443) has been relying mod_proxy_http to 
(safely)
 forward some requests to a backend, acting as a reverse-proxy.
```
# Something like
ProxyRequests   On
SSLProxyEngine  On
RewriteRule ^/.well-known/.*$ "https://gitlab-foobar/%{REQUEST_URI}; [P,L]
```


Recently, I experienced the need to (safely) forward some requests (from 
another server I own)
 through this server (because of some network/geoblocking problem).
I enabled `mod_proxy_connect` and (safely) configured a forward-proxy on :80 
(using `Require valid-user / ip`).
```
# Something like
ProxyRequests On
Authtype Basic
AuthUserFile ...

p  Require valid-user
  Require ip ...

```


# Problem

While this :80 forward-proxy vhost was secure, I later discovered, that 
 the original (and almost forgotten) vhost had incidentally become an 
open-proxy (!)

The reasons are:
- mod_proxy_connect is globally enabled (affects all vhosts)
- AllowCONNECT defaults to "443 563" (affects all vhosts)


Said otherwise, *any* secure reverse-proxy vhost configuration become de-facto
 an insecure open forward-proxy vhost as soon as `mod_proxy_connect` is 
globally enabled.

This sounds contrary to best security practices.
(and I bet more than one server out there is silently affected by this 
insecure-by-default
configuration)


# Proposed solution

I suggest to add a server-wide `AllowCONNECT 0` directive inside
`/etc/apache2/mods-available/proxy_connect.load` (virtually disabling CONNECT)
so that individual vhosts relying on it would have to explicitely set the value 
at the vhost-level.

It would be more logical (scope/side-effects) and avoid holes being punched 
into existing
 (and otherwise secure) reverse-proxy vhosts.


# Additional notes
To cap it all my proxy-enabled vhost was the first one (lexicographically
speaking) making it the destination of all the random internet SSL traffic 
scanners.


Google-friendly list of typical log messages that should raise flags:
> AH00898: Connect to remote machine blocked returned by...
> AH00939: CONNECT: attempt to connect to ...:443 (...) failed
> AH10221: proxy: CONNECT: client flushing failed (-102)
> AH10221: proxy: CONNECT: origin flushing failed (-102)


-- Package-specific info:

-- System Information:
Debian Release: bullseye
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.2.0-35-generic (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.56-1~deb11u2
ii  apache2-data 2.4.56-1~deb11u2
ii  apache2-utils2.4.56-1~deb11u2

Versions of packages apache2 recommends:
pn  ssl-cert  

Versions of packages apache2 suggests:
pn  apache2-doc   
pn  apache2-suexec-pristine | apache2-suexec  

Versions of packages apache2 is related to:
ii  apache2  2.4.56-1~deb11u2
ii  apache2-bin  2.4.56-1~deb11u2

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]

-- no debconf information

-- 
GPG id: 0xF41572CEBD4218F4

Bug#1054562: apache2ctl: add new one-word command: list-vhosts

2023-10-25 Thread Thorsten Glaser 
Package: apache2
Version: 2.4.56-1~deb11u2
Severity: wishlist
X-Debbugs-Cc: t...@mirbsd.de, report...@stoffels.it

Please add a new “apache2ctl list-vhosts” command that can
be discovered using the apache2ctl(8) manual page, so that
people don’t have to “remember” the full command:

sudo apache2ctl -t -D DUMP_VHOSTS


-- Package-specific info:

-- System Information:
Debian Release: 11.8
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 
'oldstable-proposed-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-26-amd64 (SMP w/1 CPU thread)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages apache2 depends on:
ii  apache2-bin  2.4.56-1~deb11u2
ii  apache2-data 2.4.56-1~deb11u2
ii  apache2-utils2.4.56-1~deb11u2
ii  dpkg 1.20.13
ii  init-system-helpers  1.60
ii  lsb-base 11.1.0
ii  mime-support 3.66
ii  perl 5.32.1-4+deb11u2
ii  procps   2:3.3.17-5

Versions of packages apache2 recommends:
ii  ssl-cert  1.1.0+nmu1

Versions of packages apache2 suggests:
ii  apache2-doc  2.4.56-1~deb11u2
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2-bin depends on:
ii  libapr1  1.7.0-6+deb11u2
ii  libaprutil1  1.6.1-5+deb11u1
ii  libaprutil1-dbd-sqlite3  1.6.1-5+deb11u1
ii  libaprutil1-ldap 1.6.1-5+deb11u1
ii  libbrotli1   1.0.9-2+b2
ii  libc62.31-13+deb11u7
ii  libcrypt11:4.4.18-4
ii  libcurl4 7.88.1-10+deb12u4~bpo11+0wtf1
ii  libjansson4  2.13.1-1.1
ii  libldap-2.4-22.4.57+dfsg-3+deb11u1
ii  liblua5.3-0  5.3.3-1.1+deb11u1
ii  libnghttp2-141.43.0-1
ii  libpcre3 2:8.39-13
ii  libssl1.11.1.1w-0+deb11u1
ii  libxml2  2.9.10+dfsg-6.7+deb11u4
ii  perl 5.32.1-4+deb11u2
ii  zlib1g   1:1.2.11.dfsg-2+deb11u2

Versions of packages apache2-bin suggests:
ii  apache2-doc  2.4.56-1~deb11u2
pn  apache2-suexec-pristine | apache2-suexec-custom  
ii  lynx [www-browser]   2.9.0dev.6-3~deb11u1

Versions of packages apache2 is related to:
ii  apache2  2.4.56-1~deb11u2
ii  apache2-bin  2.4.56-1~deb11u2

-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]
/etc/apache2/sites-available/000-default.conf changed [not included]
/etc/apache2/sites-available/default-ssl.conf changed [not included]
/etc/logrotate.d/apache2 changed [not included]

-- no debconf information