Configuring mod_proxy for Apache to reject wrong domain requests

六眼飞鱼酱① 提交于 2019-12-11 02:05:01

问题


Recently, I noticed my website was running slower and slower. I discovered 8GB Apache logs on my server (I run a Play!Framework web application on a Debian 6 server) and a bandwidth completely overloaded. Which was completely insane for a small personal website with a few views per day.

After investigating and gathering some information, I discovered my mistake : on my Apache configuration, I had uncommented the line "ProxyRequests On", so my server was freely used as a free proxy for everybody in the world. What a shame.

At least in that time, I adjusted my firewall to limit concurrent connections, and installed mod_qos for Apache2.

But still, now instead of redirecting requests to their destination like a good free proxy, all incoming requests are redirected to my web application, whatever the domain is. For example if someone uses my server thinking it is still a working proxy to search for "young naked children" on yahoo, he will fall on my website. I think now you see my point.

Then, what should I do so that if a request for "http://yahoo.com/whatever" is sent to my server, the request is simply denied ?

Here is my current configuration :

  • in /etc/init.d/apache2/sites-available/mysite.fr :

    ProxyRequests Off
    NameVirtualHost *:80
    
    <VirtualHost *:80>
    
         ServerName mysite.fr
         ServerAlias *.mysite.fr
    
         ProxyPreserveHost On
         ProxyPass / http://127.0.0.1:9000/ retry=0
         ProxyPassReverse /  http://127.0.0.1:9000
    
         # Uncomment the line below if your site uses SSL.
         #SSLProxyEngine On
    </VirtualHost>
    
  • in /etc/init.d/apache2/mods-available/proxy.conf :

    ProxyRequests Off
    <Proxy *>
    
        AddDefaultCharset off
        Order deny,allow
        Allow from all
    </Proxy>
    

回答1:


I found a solution some months ago and just realized I forgot to share what I found :

I added a "trash can" Virtual host to my Apache2 configuration (declared first in httpd.conf) :

<VirtualHost *:80>
    ServerName stop.spam
    DocumentRoot /var/www/stopspam
    ErrorLog /dev/null
    <Directory /var/www/stopspam>
        Deny from all
    </Directory>
</VirtualHost>

And added this to my firewall configuration :

iptables -I INPUT -d XXX.XXX.XXX.XXX -p tcp --dport 80 -m string --to 700 \
--algo bm --string 'Host: XXX.XXX.XXX.XXX' -j DROP

This makes the firewall drop requests on port 80 which are sent using my server IP instead of a domain name.

Hope this may help someone else :)



来源:https://stackoverflow.com/questions/12407209/configuring-mod-proxy-for-apache-to-reject-wrong-domain-requests

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!