[Zope] apache open proxy configuration problem

Ed Colmar ed at greengraphics.net
Wed Dec 21 18:09:14 EST 2005


Hey All..

I'm following up on this thread after lots of different configuration 
attempts, reinstalling apache2 from source, more configuration attempts, 
banging my head against the wall, and endless troubleshooting..  
Unfortuantely I am still failing to configure this correctly.

Thankfully the people using my apache as a open proxy are so relentless 
I only need to start apache for a few seconds to determine if the proxy 
is still open or not...

So...  I've made quite a bit of progress, but I am still at a loss to 
understand what is going on here....   Possibly this is a question for 
the apache forum, but I figured some of my fellow zope users might be 
able to help, since all I'm using apache for is to rewrite for zope, and 
log access.

I have cleaned up my virtual host directive to only use a single Rewrite 
Rule (which works):
RewriteRule ^/(.*) 
http://192.168.1.32:8080/VirtualHostBase/http/www.myserver.net:80/myfolder/$1 
[L,P]

Still the proxy was open and under attack.

I turned off mod_proxy and related proxy modules...  But...  The P flag 
in the RewriteRule uses the proxy module though, so the rewrite did not 
work.

I tried removing the P flag, and it does redirect to the appropriate 
page, but does not rewrite the URL correctly.

I have tried using all of the following (inside the virtualhost 
directive, outside of it, and both) to disable the open proxy...  none 
of which have any effect:

<Directory proxy:*>
Order Deny,Allow
Deny from all
Allow from www.myserver.net
</Directory>

ProxyRequests Off

I attempted to use

ProxyBlock *

Which was effective, but also killed the rewrite rule.

Can anyone offer me a decisive way to kill off this open proxy?

I'm getting so frustrated with it I'm considering just ditching apache 
entirely and running zope on port 80.  of course this would mean no 
virtual hosts, but I can live with that in this case.

Please help!

Thanks!

-ed

Kanealii, Priam Mr KRS wrote:

> I abandoned mod_proxy for mod_rewrite. Security-wise, mod_rewrite had
> less to worry about (this is important when website administration
> changes hands).
>
> The sample configuration below shows how to handle Zope resource
> quirks and how to proxy requests to and from folders in Zope (both
> tested). The last rule is my guess at what "proxy everything to and
> from Zope" would look like (untested). Apache is listening on 80 and
> routes requests to a Zope instance listening on 8080.
>
> <IfModule mod_rewrite.c>
>
>     RewriteEngine On
>     RewriteLog "/path/to/rewrite_log"
>
>     # Zope serves some system-ish content from p_ and misc_.
>     RewriteRule ^/p_(.*)    
> http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/p_$1 
> [L,P]
>     RewriteRule ^/misc_(.*) 
> http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/misc_$1 
> [L,P]
>
>     # Apache folders served by Zope folders.
>     RewriteRule ^/folder1(.*) 
> http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/folder1$1 
> [L,P]
>     RewriteRule ^/folder2(.*) 
> http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/folder2$1 
> [L,P]
>
>     # Push everything to Zope?
>     RewriteRule ^(.*) 
> http://127.0.0.1:8080/VirtualHostBase/http/%{HTTP_HOST}/VirtualHostRoot/$1 
> [L,P]
>
> </IfModule>
>
> Aloha,
> Priam
>
> -----Original Message-----
> From: zope-bounces at zope.org [mailto:zope-bounces at zope.org] On Behalf 
> Of Ed Colmar
> Sent: Saturday, October 15, 2005 9:19 AM
> To: zope at zope.org
> Subject: [Zope] apache open proxy configuration problem
>
> I've been running zope through apache for years and years now, and I
> have a new machine set up with apache 2.0.48 and zope (Zope 2.8.0-final,
> python 2.3.5, linux2)
>
> Using Identical Vhost configuration settings from an old machine all has
> been well, up until about 5 days ago, when I noticed the machine getting
> slammed, and wierd logs started showing up like:
>
> xxx.xxx.xxx.xxx - - [14/Oct/2005:14:09:06 -0700] "GET
> http://partners.mygeek.com:80/search.jsp?partnerid=98885&pagesize=12 
> <http://partners.mygeek.com:80/search.jsp?partnerid=98885&pagesize=12>
> HTTP/1.1" 403 406
>
> (IP removed to protect the guilty)
>
> In my quick research to try to determine the problem, I found people
> advising to turn "ProxyRequests Off", which I did, but did not have any
> effect.
>
> Luckily this is just a development server, not a live production server,
> so its not super critical, but I'm nervous now that my production server
> might be in the same state...
>
> Here is a sample vhost.conf entry:
>
> NameVirtualHost 192.168.1.32
> <VirtualHost 192.168.1.32>
> ServerName www.greengraphics.net
> ServerPath /var/www/greengraphics/www
> DocumentRoot /var/www/greengraphics/www
> ServerAdmin webmaster
> RewriteEngine On
> TransferLog logs/Vhost-greengraphics-access.log
> ProxyRequests Off
>         <Proxy *>
>                 Order deny,allow
>                 Allow from all
>         </Proxy>
> ProxyPass /
> http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/greengraphics/VirtualHostRoot/ 
>
> ProxyPassReverse /
> http://192.168.1.32:8080/VirtualHostBase/http/www.greengraphics.net:80/greengraphics/VirtualHostRoot/ 
>
> </VirtualHost>
>
>
>
> mod_proxy.conf looks like:
>
>
>
>
> <IfDefine HAVE_PROXY>
>   <IfModule !mod_proxy.c>
>     LoadModule proxy_module             modules/mod_proxy.so
>     #LoadModule proxy_connect_module    modules/mod_proxy_connect.so
>     #LoadModule proxy_ftp_module        modules/mod_proxy_ftp.so
>     LoadModule proxy_http_module        modules/mod_proxy_http.so
>   </IfModule>
> </IfDefine>
>
> <IfModule mod_proxy.c>
>
> #
> # Proxy Server directives. Uncomment the following lines to
> # enable the proxy server:
> #
>
> ProxyRequests Off
>
> <Proxy *>
>     Order deny,allow
>     Deny from all
> #    Allow from .your-domain.com
> </Proxy>
>
> #
> # Enable/disable the handling of HTTP/1.1 "Via:" headers.
> # ("Full" adds the server version; "Block" removes all outgoing Via:
> headers)
> # Set to one of: Off | On | Full | Block
> #
>
> ProxyVia On
>
> # End of proxy directives.
>
> </IfModule>
>
>
> any suggestions?  places to look to verify security?
>
> Thanks!
>
> -ed
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>



More information about the Zope mailing list