Re: problem with mod_proxy/mod_rewrite being used for the front-end proxy

2000-08-21 Thread Leslie Mikesell 

According to Greg Stark:
> 
> This isn't entirely on-topic but it's a solution often suggested for mod_perl
> users so I suspect there are other users here being bitten by the same
> problems. In fact the manner in which problems manifest are such that it's
> possible that many mod_perl users who are using mod_rewrite/mod_proxy to run
> a reverse proxy in front of their heavyweight perl servers have a security
> problem and don't even know it.
> 
> The problem is that the solution written in the mod_rewrite guide for a
> reverse proxy doesn't work as advertised to block incoming proxy requests. 
> 
> RewriteRule^(http|ftp)://.*  -  [F]
> 
> This is supposed to block incoming proxy requests that aren't specifically
> created by the rewrite rules that follow. 
> 
> The problem is that both mod_rewrite and mod_proxy have changed, and this
> seems to no longer catch the incoming proxy requests. Instead mod_rewrite
> seems to see just the path part of the URI, ie, /foo/bar/baz.pl without the
> http://.../. 

Setting 
ProxyRequests off
should disable any explict proxy requests from clients.  It does
not stop ProxyPass or RewriteRule specified proxying.  My server
logs a 302 error and sends a redirect to
http://www.goto.com/d/home/p/digimedia/context/
(interesting - I didn't know where it was redirecting before...).

I do see quite a few of these in my logfiles, mostly trying to
bump up the ad counters on some other sites, I think. 

 Les Mikesell
   [EMAIL PROTECTED]

problem with mod_proxy/mod_rewrite being used for the front-end proxy

2000-08-21 Thread Greg Stark 


This isn't entirely on-topic but it's a solution often suggested for mod_perl
users so I suspect there are other users here being bitten by the same
problems. In fact the manner in which problems manifest are such that it's
possible that many mod_perl users who are using mod_rewrite/mod_proxy to run
a reverse proxy in front of their heavyweight perl servers have a security
problem and don't even know it.

The problem is that the solution written in the mod_rewrite guide for a
reverse proxy doesn't work as advertised to block incoming proxy requests. 

RewriteRule^(http|ftp)://.*  -  [F]

This is supposed to block incoming proxy requests that aren't specifically
created by the rewrite rules that follow. 

The problem is that both mod_rewrite and mod_proxy have changed, and this
seems to no longer catch the incoming proxy requests. Instead mod_rewrite
seems to see just the path part of the URI, ie, /foo/bar/baz.pl without the
http://.../. 

I've even tried using ${THE_REQUEST} which actually matches, and says it's
forcing the response to be forbidden, then it happily proxies the request
anyways!


I'm using a
  
  deny from all
 
 http://127.0.0.1/>
  allow from all
 


section to at least avoid being an open proxy to the outside world, but I
cannot find any way in 1.3.12 to refuse all proxy requests coming from the
outside.

If you're not aware of the problem at all and have merely followed the advice
of the mod_rewrite guide you are probably an open proxy, allowing attackers to
use your web server to attack other sites anonymously.

-- 
greg