plainblack.com
Username Password
search
Bookmark and Share
View All Tickets
New modproxy config creates open proxies  (#3957)
Issue

In the modproxy config files in the latest WRE, this line:

RewriteRule ^/(.*) http://%{HTTP_HOST}:8081/$1 [P]

creates an open proxy server. This is usually somewhat benign as the destination port is hard-coded as 8081 by default. But if you change your configuration to point at another host on port 80 for the modperl server (as I did, for legitimate but unrelated reasons), then you now have an open HTTP proxy server on your hands. By that I mean you can go into your web browser's config and enter "my.webgui.site.com" and port 80 as the HTTP proxy server to use and it will load every site you ask it to via modproxy in your WRE.

Shortly after I made this change, one of my sites got listed as an open proxy server and the proxied requests were DDOS'ing my server.

The WRE used to hard-code the hostname of the site here, IIRC. I don't know that we necessarily need to return to that, but it shouldn't be left proxying whatever the value of %{HTTP_HOST} is. Maybe %{SERVER_NAME} would be better here?

Solution Summary
Comments
cap10morgan
0
7/17/2008 6:11 pm

Adding this rewrite rule seems to help:

RewriteCond %{HTTP_HOST} !.*mywebguisite\.com

RewriteRule ^.*$ - [F]

 

It says, "If the HTTP_HOST header doesn't match the .*mywebguisite\.com reg exp, then send back a forbidden response code (403)." This has made my server stop proxing openly, and the scanners that check for such things have stopped reporting it as a working open proxy.

Graham
0
7/24/2008 10:41 pm

Fixed for 0.8.4 - rev 7058

It now always proxies to localhost, but uses the ProxyPreserveHost option, so it goes to the correct modperl virtualhost.

This saves a DNS lookup and prevents abuse as an open proxy.

If the modperl and modproxy services were placed on different machines, you just need to point the proxy redirect the the modperl machine's IP address.

Details
Ticket Status Closed  
Rating0.0 
Submitted Bycap10morgan 
Date Submitted2008-07-17 
Assigned To unassigned  
Date Assigned2019-07-20 
Assigned By 
Severity Critical (mostly not working)  
What's the bug in? WRE  
WebGUI / WRE Version 0.8.3  
URLbugs/tracker/new-modproxy-config-creates-open-proxies
Keywords
Ticket History
© 2019 Plain Black Corporation | All Rights Reserved