# Apache2 acting as proxy?

## Souperman

Hi

There are several of the following lines in one of my Apache2 logs:

```
195.40.122.118 - - [15/Oct/2003:12:34:42 +0200] "CONNECT 195.40.122.120:51515 HTTP/1.0" 200 455 "-" "-"
```

195.40.122.118 is the open proxy testing bot used by a local IRC network and as you can see it has discovered that Apache2 is acting as a web proxy on my server.  This in turn has earned a nice k:line on that IRC network.  That doesn't really bother me, what bothers me is that my Apache2 is an open proxy.  I tried commenting the 4 proxy-related "LoadModule" lines in /etc/apache2/conf/apache2.conf and restarting Apache, but it's still doing it.

Any ideas?

----------

## devon

What about the mod_proxy settings in /etc/apache2/conf/commonapache2.conf? Have you check those?

----------

## Souperman

All lines under conf/ which mention proxy are commented:

```

root@wizard[pts/0]:/etc/apache2/conf# grep -ir proxy *

apache2.conf:#LoadModule proxy_module                  modules/mod_proxy.so

apache2.conf:#LoadModule proxy_connect_module          modules/mod_proxy_connect.so

apache2.conf:#LoadModule proxy_ftp_module              modules/mod_proxy_ftp.so

apache2.conf:#LoadModule proxy_http_module               modules/mod_proxy_http.so

commonapache2.conf:### document that was negotiated on the basis of content. This asks proxy

commonapache2.conf:### Proxy Server directives. Uncomment the following lines to

commonapache2.conf:### enable the proxy server:

commonapache2.conf:#<IfModule mod_proxy.c>

commonapache2.conf:#    ProxyRequests On

commonapache2.conf:#    <Directory proxy:*>

commonapache2.conf:#   ProxyVia On

commonapache2.conf:# End of proxy directives.

```

Also, I've done some experimenting using telnet and I've noticed that what is served up by Apache isn't actually the requested URL (e.g. "CONNECT 1.2.3.4:321 HTTP/1.0" or "GET http://www.something.com/ HTTP/1.0"), but rather the default page of the default virtual host as defined on my server.

Does anyone have any idea?  I'm stumped.

----------

## Souperman

*bump*

----------

## SpinDizzy

Well, I just tried on my fairly unchanged Apache 2.0.47 and recieved a 405 error when I tried using CONNECT, so I'm unsure what you have changed.

You can explicitly prevent CONNECT with the <Limit> and <LimitExcept> rules, have a look in commonapache2.conf for an example (The example doesn't mention CONNECT but you should get the idea).

----------

## Souperman

 *SpinDizzy wrote:*   

> Well, I just tried on my fairly unchanged Apache 2.0.47 and recieved a 405 error when I tried using CONNECT, so I'm unsure what you have changed.

 

That makes two of us.   :Confused: 

I'll replace my configs with the defaults and start over, testing the CONNECT all the way.

----------

## Souperman

OK, I've done some testing, now I need someone to explain what the hell is going on.

This is the basic Apache setup, I've changed very little, basically just the "ServerAdmin" e-mail address and added a few name-based virtual hosts:

```
root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny# telnet localhost 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

CONNECT 100.100.100.100:12345 HTTP/1.0

HTTP/1.1 405 Method Not Allowed

Date: Wed, 22 Oct 2003 10:46:53 GMT

Server: Apache/2.0.47 (Gentoo/Linux)

Allow: GET,HEAD,POST,OPTIONS,TRACE

Content-Length: 320

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>405 Method Not Allowed</title>

</head><body>

<h1>Method Not Allowed</h1>

<p>The requested method CONNECT is not allowed for the URL /.</p>

<hr />

<address>Apache/2.0.47 (Gentoo/Linux) Server at wizard.toxicbunny.net Port 80</address>

</body></html>

Connection closed by foreign host.

root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny#
```

Perfect so far.

Now I enable PHP4 support:

```
root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny# echo "APACHE2_OPTS=\"-D PHP4\"" >> /etc/conf.d/apache2

root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny# /etc/init.d/apache2 restart

 * Stopping apache2...                                   [ ok ]

 * Starting apache2...                                   [ ok ]

root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny#
```

Test it again:

```
root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny# telnet localhost 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

CONNECT 100.100.100.100:12345 HTTP/1.0

HTTP/1.1 405 Method Not Allowed

Date: Wed, 22 Oct 2003 10:50:09 GMT

Server: Apache/2.0.47 (Gentoo/Linux) PHP/4.3.3

Allow: GET,HEAD,POST,OPTIONS,TRACE

Content-Length: 340

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>405 Method Not Allowed</title>

</head><body>

<h1>Method Not Allowed</h1>

<p>The requested method CONNECT is not allowed for the URL /index.html.</p>

<hr />

<address>Apache/2.0.47 (Gentoo/Linux) PHP/4.3.3 Server at wizard.toxicbunny.net Port 80</address>

</body></html>

Connection closed by foreign host.

root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny#
```

Still working as expected.

Now I renamed the index file (note that the file just contains "foo", not even anything special):

```
root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny# mv index.html index.php

root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny# telnet localhost 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

CONNECT 100.100.100.100:12345 HTTP/1.0

HTTP/1.1 200 OK

Date: Wed, 22 Oct 2003 10:50:48 GMT

Server: Apache/2.0.47 (Gentoo/Linux) PHP/4.3.3

X-Powered-By: PHP/4.3.3

Connection: close

Content-Type: text/html; charset=ISO-8859-1

foo

Connection closed by foreign host.

root@wizard[pts/1]:/home/httpd/htdocs/toxicbunny#
```

Anyone care to explain why?   :Evil or Very Mad: 

EDIT:

I've been able to reproduce the same effect on a Slackware 9 box running Apache 1.3.27/PHP 4.3.1, so I guess it's not a Gentoo bug.

Can anyone confirm if this is expected behaviour or is it a possible bug in Apache or PHP?

----------

## yhirmikq

Hi,

seems quite strange. Why does apache try "/" when I use an prohibited Method?

With my debian there is simply a "You don't have permission to access /

on this server." when I try the connect. That is not what one would expect, is it?

My gentoo does "The requested method CONNECT is not allowed for the URL /index.html.en.", but I did not mention /index.html.en at all, I tried to connext 100.100.100.100:12345?

- Sebastian

----------

## Souperman

*bump*

Can anyone else confirm the above weirdness?

Summary: Apache returns a "405 method not allowed" error when attempting a (for example) "CONNECT 1.2.3.4:1234" request, unless the default page happens to be a PHP script, then it serves the contents of the default page.

(I hope that made sense)

----------

## Souperman

Nobody?  I want to file a bug but I'm not even sure what the expected behaviour is.   :Rolling Eyes: 

----------

## sapphirecat

An old topic, but exactly what I need.... now if only there was an answer.

When I was running HTTP-only, I saw Freenode's scanner do a GET-based proxy request, which Apache gave 200 for. However, Freenode had asked for a strange port, so iptables blocked and logged Apache's connection requests. Yet Apache would still try, even after disabling all the proxy modules. Between that and IIS scans, I moved it to a random port...

I currently have self-signed SSL and vanilla HTTP, using Gentoo's vhost setup for it. Which is a very nice setup, by the way.  :Very Happy:  So let's get testing:

```
GET http://slashdot.org:1080/ HTTP/1.0

HTTP/1.1 200 OK

Date: Sun, 08 Feb 2004 23:32:59 GMT

Server: Apache/2.0.48 (Gentoo/Linux)

Last-Modified: Tue, 25 Nov 2003 04:48:23 GMT

ETag: "39c937-1b5-4094b3c0"

Accept-Ranges: bytes

Content-Length: 437

Connection: close

Content-Type: text/html; charset=ISO-8859-1
```

Then the body of my own /index.html follows.

If I had to guess right now, I'd call it an Apache bug, since it's not properly recognizing proxy requests. Even though the vhost setup treats unrecognized vhost names as the default, the "http://" clearly notes that this is not a vhost request.

Any solutions out there yet?

----------

## mgirard

In order to stop my webserver from replying to these types of requests with the body of my index.html I am do the following:

```
RewriteCond %{HTTP_HOST} !^fully\.qualified\.host [NC]

RewriteCond %{HTTP_HOST} !^$

RewriteRule ^(.*) $1 [F]

```

This basically breaks down to, "if you are not making a request of my hostname then I'm going to rewrite your request as forbidden". It's not really a security thing, it's just to keep all the cruft out of my webserver statistics (http://awstats.sourceforge.net/).

----------

## alexf

Nothing more than a 'Me Too' on this I'm afraid  :Wink: 

Running Apache2 and mod_php from x86 stable.

Apache seems to serve up the default page in this situation, and when it receives junk requests:

```
Trying 127.0.0.1...

Connected to xxx.xxx.

Escape character is '^]'.

junkjunkjunk

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

...rest of index.php

```

log file shows:

```
127.0.0.1 - - [15/Apr/2004:15:33:11 +0100] "junkjunkjunk" 200 5021 "-" "-"

```

----------

## alexf

Bit of an update:

tcpdump doesn't show any packets sent from apache, so I guess it's not as bad as I'd thought  :Wink: 

----------

## Souperman

/me thinks it's time I paid bugzilla a visit.   :Confused: 

----------

## Souperman

 *alexf wrote:*   

> Bit of an update:
> 
> tcpdump doesn't show any packets sent from apache, so I guess it's not as bad as I'd thought 

 

Errr... how exactly is that possible?   :Shocked: 

----------

## alexf

sorry about the delay in this - notifications failed me  :Wink: 

I captured packets to / from eth0 while a did a CONNECT request from outside, and although the server returned HTTP 200, and spat out the homepage, no packets were actually sent to the target of the CONNECT (I am reading proxy the right way here aren't I?). Presumably if it were actually acting as a proxy it would try and connect to the someone.somewhere.com specified in the CONNECT line?

Let me know if you need anymore info.

Alex

----------

