So you haven't been issuing a CONNECT command yourself using telnet as prior email sort of suggested you might?
Can you try: telnet myhost.com 443 Does that get refused outright or accepted? Any chance you have Listen for 443 enabled in Apache config? You said that you only had Listen for 8080, but for standard ASF config layout Listen for port 443 isn't in that file, instead it is in: extra/httpd-ssl.conf so, if you had uncommented: # Secure (SSL/TLS) connections #Include /private/etc/apache2/extra/httpd-ssl.conf in main Apache config, then that is the only possible way that CONNECT would be coming in. If you aren't doing HTTPS connections, then ensure that Include line is commented out. Graham On 27 December 2011 13:52, Fang Jiaguo <jgfang...@gmail.com> wrote: > I have added <Limit CONNECT> directive. But CONNECT is rarely > happening. So currently I haven't captured any CONNECT in access log. > > My step is: open cmd-> type "telnet myhost.com 8080"->then type "GET > http://gs.163.com/ "->then in error log, it create interpreter for > 'myhost.com|' > > On Dec 27, 10:18 am, Graham Dumpleton <graham.dumple...@gmail.com> > wrote: >> I am not asking what tool they are using. From what I read you said >> you used telnet to replicate the same thing. If that is the case I >> want to know what you actually entered into telnet. >> >> BTW, the people who are most likely using CONNECT against you server >> are trying to see if it is vulnerable to attack through various >> security holes in some Apache versions. Did you even put in place the >> Limit directive I told you to? >> >> Graham >> >> On 27 December 2011 13:07, Fang Jiaguo <jgfang...@gmail.com> wrote: >> >> >> >> >> >> >> >> > It's just a script I intend to simulate. No matter what it is, I still >> > got some real requests last night as my server was running. I don't >> > which tool these people are using, telnet or some automatic tool. >> >> > 110.7.115.241 - - [26/Dec/2011:23:36:43 +0800] "GEThttp://gs.163.com/ >> > HTTP/1.1" 404 29 >> > 124.237.78.181 - - [27/Dec/2011:08:03:29 +0800] "GET >> >http://g.ha99y.com/R.asp?P=123.157.218.85:8080HTTP/1.1"; 404 29 >> >> > On Dec 27, 9:45 am, Graham Dumpleton <graham.dumple...@gmail.com> >> > wrote: >> >> Can you provide exactly what you were providing when using telnet? You >> >> said: >> >> >> telnet myhost.com 8080 >> >> GEThttp://gs.163.com/ >> >> CONNECT mail3.xps.idv.tw:25 >> >> >> but that is actually invalid as far as what you can provide for HTTP >> >> request. >> >> >> So, please provide an exact transcript of what you were doing. >> >> >> Graham >> >> >> On 27 December 2011 02:48, Fang Jiaguo <jgfang...@gmail.com> wrote: >> >> >> > I have add the following to apache conf. But still get the same result >> >> > as before. >> >> >> > NameVirtualHost *:8080<VirtualHost *:8080>ServerName myhost.com</ >> >> > VirtualHost> >> >> > On Dec 26, 5:54 pm, Graham Dumpleton <graham.dumple...@gmail.com> >> >> > wrote: >> >> >> On 26 December 2011 19:33, Jiaguo Fang <jgfang...@gmail.com> wrote: >> >> >> >> > Hi Graham, I haven't set any proxies. I will try your advice to add >> >> >> > only what I really need. >> >> >> >> I was not advising you to only add what you really think you need. >> >> >> Throwing away the whole file and then adding stuff on top of an empty >> >> >> file is actually bad practice and I wanted to make sure you were NOT >> >> >> doing that. >> >> >> >> You should always use the sample Apache configuration file and add on >> >> >> top of that. >> >> >> >> You should also read up about NameVirtualHost and VirtualHost >> >> >> directives and properly use them. If you use VirtualHost that may in >> >> >> itself may solve the problem. It may be the case that CONNECT allows >> >> >> you to do what you are able to do if VirtualHost not used. >> >> >> >> Graham >> >> >> >> > On Dec 26, 3:48 pm, Graham Dumpleton <graham.dumple...@gmail.com> >> >> >> > wrote: >> >> >> >> And if you haven't set them, have you done what I have seen many >> >> >> >> Windows people do, and even some UNIX people, which is to throw away >> >> >> >> completely the default Apache configuration and start with an empty >> >> >> >> file, adding only what you think you need? >> >> >> >> >> Doing that to me is a recipe for disaster as you have no idea what >> >> >> >> the >> >> >> >> Apache defaults are. One default is that Apache is allowed to serve >> >> >> >> files from anywhere on a file system if there is some Alias mapping >> >> >> >> that permits it in some way. >> >> >> >> >> Graham >> >> >> >> >> On 26 December 2011 18:44, Graham Dumpleton >> >> >> >> <graham.dumple...@gmail.com> wrote: >> >> >> >> >> > What are ProxyRequests and ProxyVia directives set to in Apache >> >> >> >> > config >> >> >> >> > if defined? Eg: >> >> >> >> >> > ProxyRequests On >> >> >> >> > ProxyVia On >> >> >> >> >> > Is the Proxy directive use at all? Eg: >> >> >> >> >> > <Proxy *> >> >> >> >> > Order deny,allow >> >> >> >> > Deny from all >> >> >> >> > Allow from internal.example.com >> >> >> >> > </Proxy> >> >> >> >> >> > If you have forward proxy enabled and no VirtualHost, then likely >> >> >> >> > Apache is accepting any CONNECT to any port. >> >> >> >> >> > Open forward proxying is a security risk and when used should be >> >> >> >> > locked down. >> >> >> >> >> > So, this may be an artefact of a insecure Apache configuration. >> >> >> >> >> > Graham >> >> >> >> >> > On 26 December 2011 17:20, Jiaguo Fang <jgfang...@gmail.com> >> >> >> >> > wrote: >> >> >> >> >> >> My develop environment is windows+mod_wsgi 3.3+python 2.7+apache >> >> >> >> >> 2.2. >> >> >> >> >> >> I have set up apache to listen to 8080 port and use default >> >> >> >> >> settings >> >> >> >> >> for other apache configuration, meaning there is no VirtualHost/ >> >> >> >> >> ServerName/ServerAlias... >> >> >> >> >> >> Here is the settings for wsgi: >> >> >> >> >> WSGIScriptReloading Off >> >> >> >> >> WSGIScriptAlias / "E:/eclipse workspace/SubscriptionServer/src/ >> >> >> >> >> business/dispatcher.py" >> >> >> >> >> WSGIPythonPath "E:/eclipse workspace/SubscriptionServer/src" >> >> >> >> >> >> <Directory "E:/eclipse workspace/SubscriptionServer"> >> >> >> >> >> Order deny,allow >> >> >> >> >> Allow from all >> >> >> >> >> </Directory> >> >> >> >> >> >> Now I have met the problem that apache will create interpreters >> >> >> >> >> for >> >> >> >> >> each port accessed by users, as apache logs show below. >> >> >> >> >> [error.log] >> >> >> >> >> [Sat Dec 24 22:14:34 2011] [info] mod_wsgi (pid=4956): Create >> >> >> >> >> interpreter 'myhost.com:8080|'. >> >> >> >> >> [Sat Dec 24 22:14:34 2011] [info] mod_wsgi (pid=4956): Adding >> >> >> >> >> 'E:/ >> >> >> >> >> eclipse workspace/SubscriptionServer/src' to path. >> >> >> >> >> [Sat Dec 24 22:14:34 2011] [info] [client 10.27.7.110] >> >> >> >> >> mod_wsgi >> >> >> >> >> (pid=4956, process='', application='myhost.com:8080|'): Loading >> >> >> >> >> WSGI >> >> >> >> >> script 'E:/eclipse workspace/SubscriptionServer/src/business/ >> >> >> >> >> dispatcher.py'. >> >> >> >> >> [Sat Dec 24 23:38:41 2011] [info] mod_wsgi (pid=4956): Create >> >> >> >> >> interpreter 'myhost.com|'. >> >> >> >> >> [Sat Dec 24 23:38:41 2011] [info] mod_wsgi (pid=4956): Adding >> >> >> >> >> 'E:/ >> >> >> >> >> eclipse workspace/SubscriptionServer/src' to path. >> >> >> >> >> [Sat Dec 24 23:38:41 2011] [info] [client 110.7.115.125] >> >> >> >> >> mod_wsgi >> >> >> >> >> (pid=4956, process='', application='myhost.com|'): Loading WSGI >> >> >> >> >> script >> >> >> >> >> 'E:/eclipse >> >> >> >> >> workspace/SubscriptionServer/src/business/dispatcher.py'. >> >> >> >> >> [Sun Dec 25 09:04:50 2011] [info] mod_wsgi (pid=4956): Create >> >> >> >> >> interpreter 'myhost.com:25|'. >> >> >> >> >> [Sun Dec 25 09:04:50 2011] [info] mod_wsgi (pid=4956): Adding >> >> >> >> >> 'E:/ >> >> >> >> >> eclipse workspace/SubscriptionServer/src' to path. >> >> >> >> >> [Sun Dec 25 09:04:50 2011] [info] [client 118.161.243.186] >> >> >> >> >> mod_wsgi (pid=4956, process='', application='myhost.com:25|'): >> >> >> >> >> Loading >> >> >> >> >> WSGI script 'E:/eclipse >> >> >> >> >> workspace/SubscriptionServer/src/business/ >> >> >> >> >> dispatcher.py'. >> >> >> >> >> >> [access.log] >> >> >> >> >> 110.7.115.125 - - [24/Dec/2011:23:38:41 +0800] >> >> >> >> >> "GEThttp://gs.163.com/ >> >> >> >> >> HTTP/1.1" 404 29 >> >> >> >> >> 118.161.243.186 - - [25/Dec/2011:09:04:50 +0800] "CONNECT >> >> >> >> >> mail3.xps.idv.tw:25 HTTP/1.0" 404 29 >> >> >> >> >> >> As you can see from access log, these two requests will cause >> >> >> >> >> apache >> >> >> >> >> to create 80 and 25 interpreters. I don't know where they come >> >> >> >> >> from(proxy detecting?). But I can simulate them through telnet. >> >> >> >> >> telnet myhost.com 8080 >> >> >> >> >> GEThttp://gs.163.com/ >> >> >> >> >> CONNECT mail3.xps.idv.tw:25 >> >> >> >> >> >> Then when I shut down the apache, no matter how many >> >> >> >> >> interpreters it >> >> >> >> >> creates, it only destroys the 8080 interpreter. This is another >> >> >> >> >> odd >> >> >> >> >> discovery. >> >> >> >> >> [Sun Dec 25 15:04:01 2011] [info] mod_wsgi (pid=4956): >> >> >> >> >> Destroying >> >> >> >> >> interpreters. >> >> >> >> >> [Sun Dec 25 15:04:01 2011] [info] mod_wsgi (pid=4956): Destroy >> >> >> >> >> interpreter 'myhost.com:8080|'. >> >> >> >> >> [Sun Dec 25 15:04:29 2011] [notice] Parent: Forcing >> >> >> >> >> termination of >> >> >> >> >> child process 234 >> >> >> >> >> [Sun Dec 25 15:04:29 2011] [info] removed PID file C:/Program >> >> >> >> >> Files (x86)/Apache Software Foundation/Apache2.2/logs/httpd.pid >> >> >> >> >> (pid=4608) >> >> >> >> >> >> I only want apache to listen to 8080 and create 8080 interpreter >> >> >> >> >> and >> >> >> >> >> prevent others. I believe there are some settings I have missed, >> >> >> >> >> apache or firewall? But how can I do this? >> >> >> >> >> >> -- >> >> >> >> >> You received this message because you are subscribed to the >> >> >> >> >> Google Groups "modwsgi" group. >> >> >> >> >> To post to this group, send email to modwsgi@googlegroups.com. >> >> >> >> >> To unsubscribe from this group, send email to >> >> >> >> >> modwsgi+unsubscr...@googlegroups.com. >> >> >> >> >> For more options, visit this group >> >> >> >> >> athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> >> > -- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups "modwsgi" group. >> >> >> > To post to this group, send email to modwsgi@googlegroups.com. >> >> >> > To unsubscribe from this group, send email to >> >> >> > modwsgi+unsubscr...@googlegroups.com. >> >> >> > For more options, visit this group >> >> >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "modwsgi" group. >> >> > To post to this group, send email to modwsgi@googlegroups.com. >> >> > To unsubscribe from this group, send email to >> >> > modwsgi+unsubscr...@googlegroups.com. >> >> > For more options, visit this group >> >> > athttp://groups.google.com/group/modwsgi?hl=en. >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "modwsgi" group. >> > To post to this group, send email to modwsgi@googlegroups.com. >> > To unsubscribe from this group, send email to >> > modwsgi+unsubscr...@googlegroups.com. >> > For more options, visit this group >> > athttp://groups.google.com/group/modwsgi?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to modwsgi@googlegroups.com. > To unsubscribe from this group, send email to > modwsgi+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to modwsgi@googlegroups.com. To unsubscribe from this group, send email to modwsgi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
