Package: apache2
Version: 2.4.56-1~deb11u2
Severity: normal
X-Debbugs-Cc: raphael.d...@gmail.com
Dear Maintainer,
# Context
For years, one of my SSL vhost (on :443) has been relying mod_proxy_http to
(safely)
forward some requests to a backend, acting as a reverse-proxy.
```
# Something like
ProxyRequests On
SSLProxyEngine On
RewriteRule ^/.well-known/.*$ "https://gitlab-foobar/%{REQUEST_URI}; [P,L]
```
Recently, I experienced the need to (safely) forward some requests (from
another server I own)
through this server (because of some network/geoblocking problem).
I enabled `mod_proxy_connect` and (safely) configured a forward-proxy on :80
(using `Require valid-user / ip`).
```
# Something like
ProxyRequests On
Authtype Basic
AuthUserFile ...
p Require valid-user
Require ip ...
```
# Problem
While this :80 forward-proxy vhost was secure, I later discovered, that
the original (and almost forgotten) vhost had incidentally become an
open-proxy (!)
The reasons are:
- mod_proxy_connect is globally enabled (affects all vhosts)
- AllowCONNECT defaults to "443 563" (affects all vhosts)
Said otherwise, *any* secure reverse-proxy vhost configuration become de-facto
an insecure open forward-proxy vhost as soon as `mod_proxy_connect` is
globally enabled.
This sounds contrary to best security practices.
(and I bet more than one server out there is silently affected by this
insecure-by-default
configuration)
# Proposed solution
I suggest to add a server-wide `AllowCONNECT 0` directive inside
`/etc/apache2/mods-available/proxy_connect.load` (virtually disabling CONNECT)
so that individual vhosts relying on it would have to explicitely set the value
at the vhost-level.
It would be more logical (scope/side-effects) and avoid holes being punched
into existing
(and otherwise secure) reverse-proxy vhosts.
# Additional notes
To cap it all my proxy-enabled vhost was the first one (lexicographically
speaking) making it the destination of all the random internet SSL traffic
scanners.
Google-friendly list of typical log messages that should raise flags:
> AH00898: Connect to remote machine blocked returned by...
> AH00939: CONNECT: attempt to connect to ...:443 (...) failed
> AH10221: proxy: CONNECT: client flushing failed (-102)
> AH10221: proxy: CONNECT: origin flushing failed (-102)
-- Package-specific info:
-- System Information:
Debian Release: bullseye
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.2.0-35-generic (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages apache2 depends on:
ii apache2-bin 2.4.56-1~deb11u2
ii apache2-data 2.4.56-1~deb11u2
ii apache2-utils2.4.56-1~deb11u2
Versions of packages apache2 recommends:
pn ssl-cert
Versions of packages apache2 suggests:
pn apache2-doc
pn apache2-suexec-pristine | apache2-suexec
Versions of packages apache2 is related to:
ii apache2 2.4.56-1~deb11u2
ii apache2-bin 2.4.56-1~deb11u2
-- Configuration Files:
/etc/apache2/apache2.conf changed [not included]
-- no debconf information
--
GPG id: 0xF41572CEBD4218F4