Re: [Zope] apache open proxy configuration problem
Hey Tino Well, my access log fills up with lines like: 61.54.11.222 - - [21/Dec/2005:14:36:56 -0800] GET http://media.fastclick.net/w/get.media?sid=19765m=3tp=7d=sc=1 HTTP/1.1 404 927 59.32.21.156 - - [21/Dec/2005:14:37:10 -0800] GET http://www.searchvill.com/index.php?uid=1077REQ=Poker%20Betting HTTP/1.0 404 935 222.208.183.2 - - [21/Dec/2005:14:40:05 -0800] GET http://adsence.sogou.com/index.html?pid=info-xa163ww=120dc=3dir=0num=6color=1charset=gb HTTP/1.0 404 936 222.208.183.2 - - [21/Dec/2005:14:40:06 -0800] GET http://log.cpc.sohu.com:90/?pv.png HTTP/1.0 200 589 213.226.83.21 - - [21/Dec/2005:14:40:27 -0800] GET http://www.ccet-server.com/cgi-bin/ip.cgi HTTP/1.0 404 933 212.30.78.125 - - [21/Dec/2005:14:41:20 -0800] GET http://test.anonproxies.com/azenv.php?80 HTTP/1.0 404 935 203.88.51.59 - - [21/Dec/2005:14:42:07 -0800] GET http://www.abcseek.info/cgi-bin/ip1.cgi HTTP/1.0 404 933 213.156.221.126 - - [21/Dec/2005:14:42:29 -0800] POST http://66.96.85.136:80/checkp/env/env.php HTTP/1.0 404 932 218.71.245.157 - - [21/Dec/2005:14:42:51 -0800] GET http://umsky.com/prx.php HTTP/1.0 404 933 83.133.146.243 - - [21/Dec/2005:14:43:41 -0800] GET http://clickingagent.com/proxycheck.php?ip=66.92.14.218port=80loc= HTTP/1.1 404 940 -e- Tino Wildenhain wrote: Ed Colmar schrieb: Hey All.. I'm following up on this thread after lots of different configuration attempts, reinstalling apache2 from source, more configuration attempts, banging my head against the wall, and endless troubleshooting.. Unfortuantely I am still failing to configure this correctly. Thankfully the people using my apache as a open proxy are so relentless I only need to start apache for a few seconds to determine if the proxy is still open or not... So... I've made quite a bit of progress, but I am still at a loss to understand what is going on here Possibly this is a question for the apache forum, but I figured some of my fellow zope users might be able to help, since all I'm using apache for is to rewrite for zope, and log access. I have cleaned up my virtual host directive to only use a single Rewrite Rule (which works): RewriteRule ^/(.*) http://192.168.1.32:8080/VirtualHostBase/http/www.myserver.net:80/myfolder/$1 [L,P] Still the proxy was open and under attack. I'm wondering where you get the impression you have an open proxy? Given your configuration, no access can go outside your zope. Sure people will try it all the time - but your apache still delivers just your zope content. Just try it out yourself! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
On 12/22/05, Ed Colmar [EMAIL PROTECTED] wrote: Well, my access log fills up with lines like: 61.54.11.222 - - [21/Dec/2005:14:36:56 -0800] GET http://media.fastclick.net/w/get.media?sid=19765m=3tp=7d=sc=1 HTTP/1.1 404 927 Yeah so? They got a 404 response, a Not Found error. No proxying happening here! -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
Ok... So these are failed attempts. good good. The key factor for me getting the RewriteRule to work without using ProxyPass was to make apache run as user zope and group zope. In case anyone else runs into a similar situation. Thanks for all the help and guidance! -e- Martijn Pieters wrote: On 12/22/05, Ed Colmar [EMAIL PROTECTED] wrote: Well, my access log fills up with lines like: 61.54.11.222 - - [21/Dec/2005:14:36:56 -0800] GET http://media.fastclick.net/w/get.media?sid=19765m=3tp=7d=sc=1 HTTP/1.1 404 927 Yeah so? They got a 404 response, a Not Found error. No proxying happening here! -- Martijn Pieters ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
Ed Colmar schrieb: Hey Tino Well, my access log fills up with lines like: 61.54.11.222 - - [21/Dec/2005:14:36:56 -0800] GET http://media.fastclick.net/w/get.media?sid=19765m=3tp=7d=sc=1 HTTP/1.1 404 927 404 is fine. We all have that in our logs. There is nothing to worry. Its just the usual internet business. See: http://www.faqs.org/rfcs/rfc2616.html 404 Not Found ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
Hmm... Ok the 404 thing I understand, but they are coming in at such a high rate it makes me nervous... Maybe this is some form of distributed DOS attack? On Closer inspection I do see some 200 codes in there as well, like: 69.70.140.130 - - [22/Dec/2005:13:40:59 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 69.70.140.130 - - [22/Dec/2005:13:40:59 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 69.70.140.130 - - [22/Dec/2005:13:40:59 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 69.70.140.130 - - [22/Dec/2005:13:41:00 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 Should I be worried about this one? Thanks for the help again guys! Maybe I should migrate this thread over to apache forum instead, since it does not really have much to do with zope...??? -e- Tino Wildenhain wrote: Ed Colmar schrieb: Hey Tino Well, my access log fills up with lines like: 61.54.11.222 - - [21/Dec/2005:14:36:56 -0800] GET http://media.fastclick.net/w/get.media?sid=19765m=3tp=7d=sc=1 HTTP/1.1 404 927 404 is fine. We all have that in our logs. There is nothing to worry. Its just the usual internet business. See: http://www.faqs.org/rfcs/rfc2616.html 404 Not Found ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
Ed Colmar schrieb: Hmm... Ok the 404 thing I understand, but they are coming in at such a high rate it makes me nervous... Maybe this is some form of distributed DOS attack? Try to get another IP if this is possible. But else you dont have any way to avoid it - we all have such in the logs when we run public servers. On Closer inspection I do see some 200 codes in there as well, like: 69.70.140.130 - - [22/Dec/2005:13:40:59 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 69.70.140.130 - - [22/Dec/2005:13:40:59 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 69.70.140.130 - - [22/Dec/2005:13:40:59 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 69.70.140.130 - - [22/Dec/2005:13:41:00 -0800] CONNECT 208.146.35.106:6667 HTTP/1.0 200 82 Should I be worried about this one? CONNECT is ssl, did you set up SSL for your site? If not you can just disallow CONNECT in apache. ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
Hey All.. I'm following up on this thread after lots of different configuration attempts, reinstalling apache2 from source, more configuration attempts, banging my head against the wall, and endless troubleshooting.. Unfortuantely I am still failing to configure this correctly. Thankfully the people using my apache as a open proxy are so relentless I only need to start apache for a few seconds to determine if the proxy is still open or not... So... I've made quite a bit of progress, but I am still at a loss to understand what is going on here Possibly this is a question for the apache forum, but I figured some of my fellow zope users might be able to help, since all I'm using apache for is to rewrite for zope, and log access. I have cleaned up my virtual host directive to only use a single Rewrite Rule (which works): RewriteRule ^/(.*) http://192.168.1.32:8080/VirtualHostBase/http/www.myserver.net:80/myfolder/$1 [L,P] Still the proxy was open and under attack. I turned off mod_proxy and related proxy modules... But... The P flag in the RewriteRule uses the proxy module though, so the rewrite did not work. I tried removing the P flag, and it does redirect to the appropriate page, but does not rewrite the URL correctly. I have tried using all of the following (inside the virtualhost directive, outside of it, and both) to disable the open proxy... none of which have any effect: Directory proxy:* Order Deny,Allow Deny from all Allow from www.myserver.net /Directory ProxyRequests Off I attempted to use ProxyBlock * Which was effective, but also killed the rewrite rule. Can anyone offer me a decisive way to kill off this open proxy? I'm getting so frustrated with it I'm considering just ditching apache entirely and running zope on port 80. of course this would mean no virtual hosts, but I can live with that in this case. Please help! Thanks! -ed Kanealii, Priam Mr KRS wrote: I abandoned mod_proxy for mod_rewrite. Security-wise, mod_rewrite had less to worry about (this is important when website administration changes hands). The sample configuration below shows how to handle Zope resource quirks and how to proxy requests to and from folders in Zope (both tested). The last rule is my guess at what proxy everything to and from Zope would look like (untested). Apache is listening on 80 and routes requests to a Zope instance listening on 8080. IfModule mod_rewrite.c RewriteEngine On RewriteLog /path/to/rewrite_log # Zope serves some system-ish content from p_ and misc_. RewriteRule ^/p_(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/p_$1 [L,P] RewriteRule ^/misc_(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/misc_$1 [L,P] # Apache folders served by Zope folders. RewriteRule ^/folder1(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/folder1$1 [L,P] RewriteRule ^/folder2(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/folder2$1 [L,P] # Push everything to Zope? RewriteRule ^(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/$1 [L,P] /IfModule Aloha, Priam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Colmar Sent: Saturday, October 15, 2005 9:19 AM To: zope@zope.org Subject: [Zope] apache open proxy configuration problem I've been running zope through apache for years and years now, and I have a new machine set up with apache 2.0.48 and zope (Zope 2.8.0-final, python 2.3.5, linux2) Using Identical Vhost configuration settings from an old machine all has been well, up until about 5 days ago, when I noticed the machine getting slammed, and wierd logs started showing up like: xxx.xxx.xxx.xxx - - [14/Oct/2005:14:09:06 -0700] GET http://partners.mygeek.com:80/search.jsp?partnerid=98885pagesize=12 http://partners.mygeek.com:80/search.jsp?partnerid=98885pagesize=12 HTTP/1.1 403 406 (IP removed to protect the guilty) In my quick research to try to determine the problem, I found people advising to turn ProxyRequests Off, which I did, but did not have any effect. Luckily this is just a development server, not a live production server, so its not super critical, but I'm nervous now that my production server might be in the same state... Here is a sample vhost.conf entry: NameVirtualHost 192.168.1.32 VirtualHost 192.168.1.32 ServerName www.greengraphics.net ServerPath /var/www/greengraphics/www DocumentRoot /var/www/greengraphics/www ServerAdmin webmaster RewriteEngine On TransferLog logs/Vhost-greengraphics-access.log ProxyRequests Off Proxy * Order deny,allow Allow from all /Proxy ProxyPass / http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/greengraphics/VirtualHostRoot/ ProxyPassReverse /
Re: [Zope] apache open proxy configuration problem
On 21 Dec 2005, at 23:09, Ed Colmar wrote: Hey All.. I'm following up on this thread after lots of different configuration attempts, reinstalling apache2 from source, more configuration attempts, banging my head against the wall, and endless troubleshooting.. Unfortuantely I am still failing to configure this correctly. Don't get me wrong, but have you ever tried a forum where people *really* know Apache well, like a Apache forum? Yes, most of us use it in some way, but few are experts. Real Apache gurus will probably be able to pinpoint your particular problem better. jens ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
Ed Colmar schrieb: Hey All.. I'm following up on this thread after lots of different configuration attempts, reinstalling apache2 from source, more configuration attempts, banging my head against the wall, and endless troubleshooting.. Unfortuantely I am still failing to configure this correctly. Thankfully the people using my apache as a open proxy are so relentless I only need to start apache for a few seconds to determine if the proxy is still open or not... So... I've made quite a bit of progress, but I am still at a loss to understand what is going on here Possibly this is a question for the apache forum, but I figured some of my fellow zope users might be able to help, since all I'm using apache for is to rewrite for zope, and log access. I have cleaned up my virtual host directive to only use a single Rewrite Rule (which works): RewriteRule ^/(.*) http://192.168.1.32:8080/VirtualHostBase/http/www.myserver.net:80/myfolder/$1 [L,P] Still the proxy was open and under attack. I'm wondering where you get the impression you have an open proxy? Given your configuration, no access can go outside your zope. Sure people will try it all the time - but your apache still delivers just your zope content. Just try it out yourself! ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] apache open proxy configuration problem
Kanealii, Priam Mr KRS wrote: RewriteRule ^/p_(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/p_$1 [L,P] I'm pretty sure that P there means it's still using mod_proxy ;-) cheers, Chris PS: Ed: you can't stop people firing requests at your server, hence the log entries, you just need to make sure you're only responding o the opnes you want to! -- Simplistix - Content Management, Zope Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] apache open proxy configuration problem
Title: RE: [Zope] apache open proxy configuration problem I abandoned mod_proxy for mod_rewrite. Security-wise, mod_rewrite had less to worry about (this is important when website administration changes hands). The sample configuration below shows how to handle Zope resource quirks and how to proxy requests to and from folders in Zope (both tested). The last rule is my guess at what proxy everything to and from Zope would look like (untested). Apache is listening on 80 and routes requests to a Zope instance listening on 8080. IfModule mod_rewrite.c RewriteEngine On RewriteLog /path/to/rewrite_log # Zope serves some system-ish content from p_ and misc_. RewriteRule ^/p_(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/p_$1 [L,P] RewriteRule ^/misc_(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/misc_$1 [L,P] # Apache folders served by Zope folders. RewriteRule ^/folder1(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/folder1$1 [L,P] RewriteRule ^/folder2(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/folder2$1 [L,P] # Push everything to Zope? RewriteRule ^(.*) http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/$1 [L,P] /IfModule Aloha, Priam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ed Colmar Sent: Saturday, October 15, 2005 9:19 AM To: zope@zope.org Subject: [Zope] apache open proxy configuration problem I've been running zope through apache for years and years now, and I have a new machine set up with apache 2.0.48 and zope (Zope 2.8.0-final, python 2.3.5, linux2) Using Identical Vhost configuration settings from an old machine all has been well, up until about 5 days ago, when I noticed the machine getting slammed, and wierd logs started showing up like: xxx.xxx.xxx.xxx - - [14/Oct/2005:14:09:06 -0700] GET http://partners.mygeek.com:80/search.jsp?partnerid=98885=12 HTTP/1.1 403 406 (IP removed to protect the guilty) In my quick research to try to determine the problem, I found people advising to turn ProxyRequests Off, which I did, but did not have any effect. Luckily this is just a development server, not a live production server, so its not super critical, but I'm nervous now that my production server might be in the same state... Here is a sample vhost.conf entry: NameVirtualHost 192.168.1.32 VirtualHost 192.168.1.32 ServerName www.greengraphics.net ServerPath /var/www/greengraphics/www DocumentRoot /var/www/greengraphics/www ServerAdmin webmaster RewriteEngine On TransferLog logs/Vhost-greengraphics-access.log ProxyRequests Off Proxy * Order deny,allow Allow from all /Proxy ProxyPass / http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/greengraphics/VirtualHostRoot/ ProxyPassReverse / http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/greengraphics/VirtualHostRoot/ /VirtualHost mod_proxy.conf looks like: IfDefine HAVE_PROXY IfModule !mod_proxy.c LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_connect_module modules/mod_proxy_connect.so #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so /IfModule /IfDefine IfModule mod_proxy.c # # Proxy Server directives. Uncomment the following lines to # enable the proxy server: # ProxyRequests Off Proxy * Order deny,allow Deny from all # Allow from .your-domain.com /Proxy # # Enable/disable the handling of HTTP/1.1 Via: headers. # (Full adds the server version; Block removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block # ProxyVia On # End of proxy directives. /IfModule any suggestions? places to look to verify security? Thanks! -ed ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )