ProxyAbuse

Why do I see requests for foreign sites appearing in my log files?为什么我看到很多国外的站点出现在我的日志中？

An access_log entry showing this situation could look like this:

access_log 中出现类似下面的日志： 

63.251.56.142 - - [25/Jul/2002:12:48:04 -0700] "GET http://www.yahoo.com/ HTTP/1.0" 200 1456 

This is usually the result of malicious clients trying to exploit open proxy servers to access a website without revealing their true location.

这个一般是由于有一些恶意的客户试图通过代理服务器去访问一些网站，并且 不会显示他的真实位置。

They could be doing this to manipulate利用 pay-per-click add systems, to add comment添加注释 or link-spam广告链接 to someone else's site, or just to do something nasty without being detected. 做一些坏事而不会被检查出来。

It is important to prevent预防 your server from being used as an open proxy to abuse other sites.

How can I prevent预防 these requests from accessing the foreign server through my server?

First, if you don't need to run a proxy server, disable mod_proxy by commenting out its LoadModule line or setting ProxyRequests off in httpd.conf. 如果你不需要代理服务，请在httpd.conf的代理服务的LoadModule注解掉，或设置

ProxyRequests 为off. 

Remember that disabling ProxyRequests does not prevent 阻止you from using a reverse proxy反向代理 with the ProxyPass directive. 禁用ProxyRequests，并不能阻止通过ProxyPass directive使用反向代理

If you do need to have Apache act as a proxy server, be sure to secure your server by restricting限制 access访问 with a <Proxy> section 部分in httpd.conf. 如果你要使用代理服务，请在httpd.conf中的<Proxy>部分进行安全设置，限制访问。

My server is properly configured not to proxy, so why is Apache returning a 200 (Success) status code?我的服务器并没有配置代理服务，为什么apache返回200状态码？

That status code indicates显示 that Apache successfully sent a response 响应to the client, but not necessarily that the response was retrieved返回 from the foreign website. 这个状态码显示，你的apache成功的发送了一个响应到客户端，但是一个不必要的响应从国外的网站上返回。

RFC2616 section 5.1.2 mandates要求 that Apache must accept requests接受请求 with absolute绝对 URLs in the request-URI, even for non-proxy requests.

 This means that even when proxying is turned off, Apache will accept requests that look like proxy requests. 这意味着，即使代理服务关闭，apache仍然响应看起来像代理请求的请求。

But instead of retrieving the content from the foreign site,（不是从国外的网站上返回请求的内容 ）

Apache will serve the content at the corresponding location on your website.apache（将会从你的网站的相应位置返回内容）

Since the hostname probably doesn't match a name for your site, Apache will look for the content on your default host. 虽然请求的域名和你的域名不符，但是apache仍然从你的默认主机上查找内容。

In the above example, since www.yahoo.com is obviously 明显的not a valid 有效virtual host on your system, Apache will serve the homepage content from your default (virtual) host. The size of the response 响应(1456 in the above example) can be compared to the size of the corresponding page on your default site to confirm that the response was served locally and no proxying was involved.

But how can I be really sure that I am not allowing the abuse of other sites

You can try yourself to use your server as a proxy to access other sites and make sure that you get either a failure, or local content from your site. Among the ways to do this:

1. Configure your browser to use your web server as its default proxy server and then try to request foreign sites. You should get only your own website content back in reply.

2. Manually construct requests using telnet:

telnet yoursite.example.com 80 GET http://www.yahoo.com/ HTTP/1.1 Host: www.yahoo.com 

Then press enter twice. If your server is properly configured, you should receive content from your own site and not Yahoo.

What about these strange CONNECT requests?

A variant of this problem is an access_log entry that looks like

63.251.56.142 - - [25/Jul/2002:12:48:04 -0700] "CONNECT smtp.example.com:25 HTTP/1.0" 200 1456 

The CONNECT method is usually used to tunnel SSL requests through proxys. But in this case, the port 25 on the target shows us that someone is attempting to use our HTTP proxy to send mail (probably spam) to a foreign site.

Everything mentioned above applies equally to this case. But normally, as long as the proxy is disabled, Apache would respond to such requests with status code 405 (Method not allowed). The fact that a success status code is returned indicates that a third-party module is processing the CONNECT requests. The most likely culprit is php, which in its default configuration will accept all methods and treat them identically.

This isn't inherently a problem since php will handle the request locally and will not proxy to the foreign host. But it is still a good idea to configure php to accept only specific methods (using the php configuration setting http.allowed_methods) or have your php script reject requests for non-standard methods.

I don't like the idea of my server responding to requests for random hostnames, even if it serves local content. How can I deny these requests?

You can configure Apache to deny access to any host that isn't specifically configured by setting up a default virtual host:

NameVirtualHost *:80 <VirtualHost *:80> ServerName default.only <Location /> Order allow,deny Deny from all </Location> </VirtualHost> <VirtualHost *:80> ServerName realhost1.example.com ServerAlias alias1.example.com alias2.example.com DocumentRoot /path/to/site1 </VirtualHost> 

See also the Canonical Hostname recipe.

Can't I just drop these requests entirely?

Apache is an HTTP server and responds to HTTP requests with HTTP responses. It does not simply drop requests on the floor, since this would make it difficult to debug problems with client-server interactions.

If you really want to send no response at all, the third-party module mod_security is able to drop requests. But the savings in resource usage will be minuscule.

Unfortunately, even if your server is properly configured, you may see this type of exploit attempt recur. Since the offending client is usually itself a compromised computer (or a botnet), there is little that can be done to stop them beyond assuring that your site does not act as an open proxy.