[Bug 64982] New: ProxyBlock blocks too many websites

Sun, 13 Dec 2020 13:30:24 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64982

            Bug ID: 64982
           Summary: ProxyBlock blocks too many websites
           Product: Apache httpd-2
           Version: 2.4.46
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_proxy
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

My Apache configuration contains a list of advertising, telemetry and tracking
hostnames/domains which should be blocked with the Apache mod_proxy module.
Some of them are served on CDNs and big cloud networks with many IP addresses.

<IfModule mod_proxy.c>
        ProxyRequests On
        ProxyVia On
        AllowCONNECT 443 81

        <Proxy *>
          Require ip 192.168.2.0/255.255.255.0 127.0.0.0/255.0.0.0 ::1
        </Proxy>

        # the ProxyBlock list is not complete
        ProxyBlock data.flurry.com fast.fonts.net meetrics.net chartbeat.net
services.disqus.com realtime.services.disqus.com adform.net refinedads.com
adroll.com
</IfModule>

Unfortunately ProxyBlock not only blocks the given hostnames/domains, but also
all IP addresses of the hostnames/domains. As a result Apache often answers
normal web requests with HTTP/1.1 403 Forbidden. Often advertising, telemetry
and tracking networks use the same CDNs and cloud servers as normal websites.
This is very annoying and makes ProxyBlock useless at least for using the WWW
interactively with an Apache proxy. May be the current ProxyBlock
implementation  was useful some years ago.

One example:

https://www.real.de/product/333757966/ does not show images. The images are on
the domain media.real-onlineshop.de (e.g.
https://media.real-onlineshop.de/images/items/original/eb07a26075e75a63084cde822cf5cc0c.jpg).
Some testing shows, that realtime.services.disqus.com and
media.real-onlineshop.de share the same IP (at least here and today - see my
"host" output).

# host realtime.services.disqus.com
realtime.services.disqus.com is an alias for d3kh1c1apu7ke8.cloudfront.net.
d3kh1c1apu7ke8.cloudfront.net has address 65.9.73.88
d3kh1c1apu7ke8.cloudfront.net has address 65.9.73.96 << this IP
[...]
# host media.real-onlineshop.de
media.real-onlineshop.de is an alias for d931e6ife1ogn.cloudfront.net.
d931e6ife1ogn.cloudfront.net has address 65.9.73.96 << this IP
[...]

Documentation says:
1) "The ProxyBlock directive specifies a list of words, hosts and/or domains,
separated by spaces."
2) "HTTP, HTTPS, and FTP document requests to sites whose names contain matched
words, hosts or domains are blocked by the proxy server."
3) "The proxy module will also attempt to determine IP addresses of list items
which may be hostnames during startup, and cache them for match test as well.
That may slow down the startup time of the server."

The problem is point 3). Is this really necessary?

My suggestion it to create a new ProxyBlock directive which only blocks domains
and hostnames, may be also explicit given IP addresses and networks.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to