Search code examples
securityapache2reverse-proxymod-proxy

Configuring mod_proxy for Apache to reject wrong domain requests

Recently, I noticed my website was running slower and slower. I discovered 8GB Apache logs on my server (I run a Play!Framework web application on a Debian 6 server) and a bandwidth completely overloaded. Which was completely insane for a small personal website with a few views per day.

After investigating and gathering some information, I discovered my mistake : on my Apache configuration, I had uncommented the line "ProxyRequests On", so my server was freely used as a free proxy for everybody in the world. What a shame.

At least in that time, I adjusted my firewall to limit concurrent connections, and installed mod_qos for Apache2.

But still, now instead of redirecting requests to their destination like a good free proxy, all incoming requests are redirected to my web application, whatever the domain is. For example if someone uses my server thinking it is still a working proxy to search for "young naked children" on yahoo, he will fall on my website. I think now you see my point.

Then, what should I do so that if a request for "http://yahoo.com/whatever" is sent to my server, the request is simply denied ?

Here is my current configuration :

  • in /etc/init.d/apache2/sites-available/mysite.fr :

    ProxyRequests Off
NameVirtualHost *:80

<VirtualHost *:80>

     ServerName mysite.fr
     ServerAlias *.mysite.fr

     ProxyPreserveHost On
     ProxyPass / http://127.0.0.1:9000/ retry=0
     ProxyPassReverse /  http://127.0.0.1:9000

     # Uncomment the line below if your site uses SSL.
     #SSLProxyEngine On
</VirtualHost>

  • in /etc/init.d/apache2/mods-available/proxy.conf :

    ProxyRequests Off
<Proxy *>

    AddDefaultCharset off
    Order deny,allow
    Allow from all
</Proxy>
Solution

  • I found a solution some months ago and just realized I forgot to share what I found :

    I added a "trash can" Virtual host to my Apache2 configuration (declared first in httpd.conf) :

    <VirtualHost *:80>
    ServerName stop.spam
    DocumentRoot /var/www/stopspam
    ErrorLog /dev/null
    <Directory /var/www/stopspam>
        Deny from all
    </Directory>
</VirtualHost>

    And added this to my firewall configuration :

    iptables -I INPUT -d XXX.XXX.XXX.XXX -p tcp --dport 80 -m string --to 700 \
--algo bm --string 'Host: XXX.XXX.XXX.XXX' -j DROP

    This makes the firewall drop requests on port 80 which are sent using my server IP instead of a domain name.

    Hope this may help someone else :)