Hi,
I'm hoping that I've gotten onto the right list.
I'd like to make a suggestion for documenting the mod_proxy vulnerability to
being a spam relay. I agree that it's a user config issue (mea culpa), but
there wasn't much in the docs that gave me the impression that mod_proxy was
so powerful. Also, I'm using 1.3 as a reverse proxy, and the docs focus on
securing a forward proxy. The 2.0 docs mention using mod_proxy as a reverse
proxy, but still only allude to the <Directory> directive for securing it.
I saw a few messages via MARC discussing the issue today, so here I am,
jumping in.
When I discovered that my mod_proxy was being exploited, I googled a bit and
came up with putting the following into httpd.conf:
<LocationMatch "^[^/]">
Deny from all
</LocationMatch>
Sure enough, my logs go from
[Sun Jun 22 08:38:33 2003] [error] (13)Permission denied: proxy:
utimes(/var/cache/httpd/.time)
to
[Sun Jul 20 05:11:36 2003] [error] [client 203.98.164.132] client denied by
server configuration: proxy:http://111.22.123.4:25/
I also added that LocationMatch directive in my SSL section. So, unless I've
missed something important, I recommend that including those lines in the
default httpd.conf will keep the proxy from being exploited. I don't know if
there's a run-time hit on performance, or any other issues that might make
this a bad idea.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
