问题
Recently, I noticed my website was running slower and slower. I discovered 8GB Apache logs on my server (I run a Play!Framework web application on a Debian 6 server) and a bandwidth completely overloaded. Which was completely insane for a small personal website with a few views per day.
After investigating and gathering some information, I discovered my mistake : on my Apache configuration, I had uncommented the line "ProxyRequests On", so my server was freely used as a free proxy for everybody in the world. What a shame.
At least in that time, I adjusted my firewall to limit concurrent connections, and installed mod_qos for Apache2.
But still, now instead of redirecting requests to their destination like a good free proxy, all incoming requests are redirected to my web application, whatever the domain is. For example if someone uses my server thinking it is still a working proxy to search for "young naked children" on yahoo, he will fall on my website. I think now you see my point.
Then, what should I do so that if a request for "http://yahoo.com/whatever" is sent to my server, the request is simply denied ?
Here is my current configuration :
in /etc/init.d/apache2/sites-available/mysite.fr :
ProxyRequests Off NameVirtualHost *:80 <VirtualHost *:80> ServerName mysite.fr ServerAlias *.mysite.fr ProxyPreserveHost On ProxyPass / http://127.0.0.1:9000/ retry=0 ProxyPassReverse / http://127.0.0.1:9000 # Uncomment the line below if your site uses SSL. #SSLProxyEngine On </VirtualHost>
in /etc/init.d/apache2/mods-available/proxy.conf :
ProxyRequests Off <Proxy *> AddDefaultCharset off Order deny,allow Allow from all </Proxy>
回答1:
I found a solution some months ago and just realized I forgot to share what I found :
I added a "trash can" Virtual host to my Apache2 configuration (declared first in httpd.conf) :
<VirtualHost *:80>
ServerName stop.spam
DocumentRoot /var/www/stopspam
ErrorLog /dev/null
<Directory /var/www/stopspam>
Deny from all
</Directory>
</VirtualHost>
And added this to my firewall configuration :
iptables -I INPUT -d XXX.XXX.XXX.XXX -p tcp --dport 80 -m string --to 700 \
--algo bm --string 'Host: XXX.XXX.XXX.XXX' -j DROP
This makes the firewall drop requests on port 80 which are sent using my server IP instead of a domain name.
Hope this may help someone else :)
来源:https://stackoverflow.com/questions/12407209/configuring-mod-proxy-for-apache-to-reject-wrong-domain-requests