Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Risk of using Apache mod_proxy

Tags:

apache

mod-proxy

I am now exploring to use Apache's mod_proxy's directive, eg ProxyPass, as part of solution for cross-domain scripting restriction (for html/ajax/flash code). However, I am afraid by enabling mod_proxy, I would risk having the server as open proxy.

What's the risk, and how to minimize the risk, in short?

Thanks.

like image 755
Nordin Avatar asked May 04 '09 14:05

Nordin

People also ask

What is mod_proxy in Apache?

mod_proxy is an optional module for the Apache HTTP Server. This module implements a proxy, gateway or cache for Apache. It implements proxying capability for AJP13 (Apache JServ Protocol version 1.3), FTP, CONNECT (for SSL), HTTP/0.9, HTTP/1.0, and (since Apache 1.3. 23) HTTP/1.1.

Can Apache be used as a proxy?

In addition to being a "basic" web server, and providing static and dynamic content to end-users, Apache httpd (as well as most other web servers) can also act as a reverse proxy server, also-known-as a "gateway" server.

What is the CVE number of the vulnerability that was solved in Apache Version 2.4 51?

critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4. 49 and 2.4. 50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013) It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.

What is ProxyPass and ProxyPassReverse in Apache?

ProxyPassReverse will intercept those headers, and rewrite them to match the Apache proxy server. ProxyPass will create a reverse proxy. A reverse proxy (or gateway), appears to the client just like an ordinary web server.

2 Answers

Since you specifically mentioned ProxyPass, I'll assume you're using mod_proxy as a reverse proxy.

If that's the case, just make sure ProxyRequests is off. It isn't needed for reverse proxies.

In a forward proxy configuration, if you were to enable ProxyRequests without setting access restrictions (i.e., which hosts/networks are allowed to use the proxy) you could very easily wind up with an open proxy.

See the mod_proxy documentation for more info.

like image 200
Bill B Avatar answered Oct 02 '22 00:10

Bill B

Just make sure to set ProxyRequests to Off:

This prevents Apache from acting as a forward proxy server (which is where the concern about an open proxy comes in), but does not affect its use as a reverse proxy using ProxyPass

like image 42
alasdairg Avatar answered Oct 01 '22 23:10

alasdairg
Sign in to Comment

Related questions

How can I use post-commit hooks to copy committed files to a web directory from SVN?
Generating ZIP files with PHP + Apache on-the-fly in high speed?
How to setup and run Python on Wampserver?
Set apache documentRoot to symlink (for easy deployment)
Resource interpreted as stylesheet but transferred with MIME type text/html
Ubuntu + SVN: Could not open the requested SVN filesystem
Adding apache to a user group file upload permission
Setting environment variable using .htaccess
Laravel 5 not getting any error logs
Is it possible to launch a php script at apache startup?
Apache HttpClient get add a byte range header?
Rails 3.1 Deploy to Production (with Apache & Passenger) Asset Problems
Is it possible to use Apache Thrift on a regular web server?
PHP regex crashing apache
Django code changes not reflecting on production server
Unable to ignore mod_rewrite internal redirects with NS flag
What is the difference between reverse proxy and web server?
How do I add a MIME type to .htaccess?
Best way to compress HTML, CSS & JS with mod_deflate and mod_gzip disabled
Force https for entire server/domain

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!