Block attempts to use Apache as a proxy server

Q I'm getting entries like the following in my Apache server log: 'GET http://cn.yahoo.com/ HTTP/1.1" 200 291' Note the request for a completely different domain to mine and the protocol prepended to it, which would normally be stripped off. What concerns me is that the server is returning a code of 200. Should I be concerned?

A Yes, you should be concerned. It appears that someone is attempting to use your server as a web proxy. If you have the mod_proxy module loaded and a ProxyRequests directive in one of your configuration files, Apache's proxy server will be activated. Even if proxying is not activated, you could see a log entry like this; if you are using virtual hosting Apache will normally return the homepage for your default virtual host. You should be able to tell from the IP addresses and frequency of these log entries whether this is a single, misconfigured computer or scripted attempts to find suitable servers to exploit.

If the size of the returned page is always the same, irrespective of the URL requested, Apache is returning a local page - probably an error message from the small size. In this case, you are not acting as a proxy for nefarious activities and the only harm done is the extra load on your server and bandwidth to service these requests. You can disable proxying altogether by using the --disable-proxy option when building Apache, or by ensuring that the -D PROXY option is not used when starting Apache. If you are receiving a large number of these requests from robot scripts, you could look at blocking or dropping these addresses with iptables, which would save the server having to reply to them, even with an error.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar