Apache allowing foreign server access without mod_proxy?

tomsky · n00b Joined: 19 Apr 2016 Posts: 11

I recently upgraded to apache 2.4, and noticed my apache server is being used as a proxy server - even without mod_proxy being installed or enabled - it's a vanilla gentoo apache setup.

According to the apache wiki on proxy abuse, not having mod_proxy enabled should suffice to prevent the server allowing requests to access foreign servers through it?

Syl20 · l33t Joined: 04 Aug 2005 Posts: 619 Location: France

Are you sure there are no proxy modules enabled (run apache -M to ensure that) ?
Could you post more details from your installation (emerge --info, /etc/conf.d/apache, virtualhosts configuration, and generally what you changed on the config files, some logs if you have...) ?

tomsky · n00b Joined: 19 Apr 2016 Posts: 11

Here is some information I've compiled.

/usr/sbin/apache2 -M :

Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_prefork_module (static)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_anon_module (shared)
authn_core_module (shared)
authn_dbm_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_dbm_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_owner_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
cgid_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
ext_filter_module (shared)
filter_module (shared)
headers_module (shared)
include_module (shared)
log_config_module (shared)
logio_module (shared)
mime_module (shared)
mime_magic_module (shared)
negotiation_module (shared)
rewrite_module (shared)
setenvif_module (shared)
speling_module (shared)
unique_id_module (shared)
unixd_module (shared)
usertrack_module (shared)
vhost_alias_module (shared)

I told a lie about it being a vanilla setup - I had mod_wsgi installed additionally (which comes in a separate emerge package - although for some reason that doesn't show when I run apache -M, and I had to disable wsgi related directives in my config files to get apache -M to run, as those directives appear to be related to a "module not included in the server configuration")

The only change to /etc/conf.d/apache is the opts to include wsgi

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE -D WSGI"

As for apache vhost config files, nothing of significance was changed from the default configuration, except to add a non default vhost with a WSGIScriptAlias from / to /var/www/....../wsgi.py in my deployed source. I can send more details if you require?

Here are some logs of my connecting via my apache server to a foreign address:

(I've x.x.x.x'd the various origin ip addresses out)

x.x.x.x - - [18/Apr/2016:02:38:45 +0100] "GET https://m.baidu.com/ HTTP/1.1" 200 45
...
127.0.0.1 - - [18/Apr/2016:15:16:56 +0100] "GET http://www.google.com/ HTTP/1.1" 200 45
x.x.x.x - - [18/Apr/2016:19:49:08 +0100] "GET http://www.google.com/ HTTP/1.1" 200 45

The first log is where I spotted the issue - someone using it as a proxy. I then tried it myself from the server machine itself, and from another machine I own.

Here's the output of --info:

Portage 2.2.26 (python 2.7.10-final-0, default/linux/amd64/13.0, gcc-4.9.3, glibc-2.22-r4, 4.1.15-gentoo-r1 x86_64)
=================================================================
System uname: Linux-4.1.15-gentoo-r1-x86_64-QEMU_Virtual_CPU_version_1.7.1-with-gentoo-2.2
KiB Mem: 1017752 total, 109848 free
KiB Swap: 524284 total, 320740 free
Timestamp of repository gentoo: Mon, 18 Apr 2016 18:30:01 +0000
sh bash 4.3_p42-r1
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash: 4.3_p42-r1::gentoo
dev-lang/perl: 5.20.2::gentoo
dev-lang/python: 2.7.10-r1::gentoo, 3.4.3-r1::gentoo
dev-util/cmake: 3.3.1-r1::gentoo
dev-util/pkgconfig: 0.28-r2::gentoo
sys-apps/baselayout: 2.2::gentoo
sys-apps/openrc: 0.19.1::gentoo
sys-apps/sandbox: 2.10-r1::gentoo
sys-devel/autoconf: 2.69::gentoo
sys-devel/automake: 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils: 2.25.1-r1::gentoo
sys-devel/gcc: 4.9.3::gentoo
sys-devel/gcc-config: 1.7.3::gentoo
sys-devel/libtool: 2.4.6::gentoo
sys-devel/make: 4.1-r1::gentoo
sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers)
sys-libs/glibc: 2.22-r4::gentoo
Repositories:

gentoo
location: /usr/portage
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
LANG="en_GB.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 berkdb bindist bzip2 cli cracklib crypt cxx dri fortran gdbm iconv ipv6 mmx mmxext modules multilib ncurses nls nptl openmp pam pcre readline seccomp session sse sse2 ssl tcpd unicode xattr zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext popcnt sse sse2 sse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

And for apache:

www-servers/apache-2.4.18::gentoo was built with the following:
USE="ssl -debug -doc -ldap (-libressl) (-selinux) -static -suexec -threads" ABI_X86="64" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias -access_compat -asis -auth_digest -authn_dbd -authz_dbd -cache_disk -cern_meta -charset_lite -dbd -dumpio -http2 -ident -imagemap -lbmethod_bybusyness -lbmethod_byrequests -lbmethod_bytraffic -lbmethod_heartbeat -log_forensic -macro -proxy -proxy_ajp -proxy_balancer -proxy_connect -proxy_fcgi -proxy_ftp -proxy_html -proxy_http -proxy_scgi -proxy_wstunnel -ratelimit -remoteip -reqtimeout -slotmem_shm -substitute -version" APACHE2_MPMS="-event -peruser -prefork -worker"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--no-as-needed"

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

And are the 45 byte responses coming from those remote sites, or from the index page of your default vhost?

tomsky · n00b Joined: 19 Apr 2016 Posts: 11

Thanks for pointing that out - yes, the response content is the index page of my default vhost - I should have realised when I checked the logs that 45 bytes was a small and constant value and actually checked the index.html that was downloaded with "http_proxy=<my_server_ip> wget www.google.com", etc. when I tested it.

So it looks like there has been no security issue after all. Although I'm surprised apache didn't respond with a 403 or some other status code?