The response I received from Jason in r.e. this bugtraq post made one especially good documentation point;
>The final statements in the ProxyRequests directive documentation are; > >http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests > > "This allows or prevents Apache from functioning as a proxy server. > Setting ProxyRequests to 'off' does not disable use of the > <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass > directive." He suggests the converse comment in the ProxyPass directive, that the ProxyRequests does not affect the ProxyPass directive, and should not be enabled for reverse proxy configurations. Bill At 05:30 PM 7/22/2003, William A. Rowe, Jr. wrote: >The Security Team responded 13 minutes after Jason's initial report, >attempting to explain how he had misconfigured his server. While we >acknowledge that new directives might be desirable in limited cases, >the team determined that this is clearly a user configuration error. > >The Apache HTTP Server Documentation Project has been working >to improve and further clarify the risks of open proxies, including open >faux-HTTP proxies into SMTP servers. They actively solicit contributions >to the documentation (preferably with a patch) for any ambiguous or >insufficiently covered topics; > > http://httpd.apache.org/docs-project/ > >More details follow; > >At 11:52 AM 7/22/2003, Jason Robertson wrote: >>I have found that recently a spammer has been using a mod_proxy >>configuration, (that was meant to allow for an easier transition to a >>new naming scheme, as well as changes to a backend software) as a spam >>relay. >>The spammer has been using HTTP POST requests to send these messages >>with POST HTTP://mailserver:25/ HTTP/1.1 >>With some research it looks like this is an automated process including >>the initial scan stage. >> >>When I contacted Apache in regards to this, the response was not very >>promising. >> >>This problem would be a simple fix with implementing the AllowConnect >>configuration option within proxy_http, to prevent outbound >>connections. > >As described in the default configuration, open proxies are never >recommended [from Apache 1.3.27 conf/httpd.conf-dist]; > ># ># Proxy Server directives. Uncomment the following lines to ># enable the proxy server: ># >#<IfModule mod_proxy.c> ># ProxyRequests On > ># <Directory proxy:*> ># Order deny,allow ># Deny from all ># Allow from .your-domain.com ># </Directory> > > # > # Enable/disable the handling of HTTP/1.1 "Via:" headers. > # ("Full" adds the server version; "Block" removes all outgoing Via: > headers) > # Set to one of: Off | On | Full | Block > # ># ProxyVia On > > # > # To enable the cache as well, edit and uncomment the following lines: > # (no cacheing without CacheRoot) > # ># CacheRoot "@@ServerRoot@@/proxy" ># CacheSize 5 ># CacheGcInterval 4 ># CacheMaxExpire 24 ># CacheLastModifiedFactor 0.1 ># CacheDefaultExpire 1 ># NoCache a-domain.com another-domain.edu joes.garage-sale.com > >#</IfModule> ># End of proxy directives. > >If (for the purposes of collecting several machine's collective content) >you are attempting to ProxyPass a number of URI's to different boxes, >you should NOT be enabling ProxyRequests. > >The final statements in the ProxyRequests directive documentation are; > >http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests > > "This allows or prevents Apache from functioning as a proxy server. > Setting ProxyRequests to 'off' does not disable use of the > <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass > directive." > > "Warning: Do not enable proxying until you have > <http://httpd.apache.org/docs/mod/mod_proxy.html#access>secured your server. > Open proxy servers are dangerous both to your network and to the > Internet at large." > >Access control is briefly illustrated further with additional references in; > >http://httpd.apache.org/docs/mod/mod_proxy.html#access > >Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
