[Gllug] Poxy proxy or malware problem?
David L Neil Mailing list a/c
GLLUG at getaroundtoit.co.uk
Thu May 7 12:18:01 UTC 2009
Please would a sagacious webAdmin point me at a decent explanation (not
"do this, do that") of setting-up and debugging a Reverse Proxy in
Apache2, for my afternoon's edification and education?
Have ploughed through Apache's docs and Nick Kew's 2004/6
ApacheWeek/Tutor article (and others), but noted nothing apparently
relevant - thought I understood the concepts of proxying, but...
Additional keywords to look for, concepts to firmly lodge between the
ears, hints, etc, will be much appreciated...
Regards,
=dn
Problem in boring detail:
As soon as I re-start Apache these blighters get their hooks in:
207.226.163.130 - - [07/May/2009:11:10:06 +0100] "GET
http://freeproxylist.org/proxychecker3/ProxyChecker3.class.php?op=type
HTTP/1.1" 403 317
89.149.253.92 - - [07/May/2009:11:10:24 +0100] "POST
http://89.149.226.14/proxyc/engine.php HTTP/1.0" 403 293
87.236.29.207 - - [07/May/2009:11:10:24 +0100] "GET
http://virtul.net/proxyc/engine.php HTTP/1.0" 403 290
I assume this is because of an error in my VHost .confs which has left
an open proxy - or could it be that there is some malware on my system?
The machine is my test/PoC server sitting behind the router on my DSL
line, mostly used in-house but with external access for clients during
such project phases. (Apache2 on CentOS 5.3)
One project has been to evaluate Zimbra email (etc), which required a
reverse proxy be set up to feed its Java-TomCat infrastructure. (simple
answer, rip-out Zimbra = don't tempt me!) I followed the 'do this'
instructions provided on the Zimbra community wiki, and built them into
the Zimbra.conf. All works happily, including local and remote webmail
and email client access.
Apparently there are ramifications for other VHosts. Last night I added
a new PHP f/end DB for the Commanding Officer (SWMBO), with a very
simple .conf, but things have gone nuts with all sorts of strange access
attempts, even after I tried to restrict access to the new sub-domain to
LAN users only.
Presumed pertinent sections of Zimbra VHost .conf
<VirtualHost *:80>
ServerName zimbra
ServerAlias zimbra.*
ServerAdmin ZimbraAdmin at danceswithmice.info
ProxyPass / http://danceswithmice.info:81/
ProxyPassReverse / http://danceswithmice.info:81/
...
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass http://danceswithmice.info
...
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
...
Core of newest .conf
<VirtualHost *:80>
ServerName OIOC
DocumentRoot /srv/www/OIOC
DirectoryIndex OIOC.php index.html
...
<Directory /srv/www/OIOC>
Order Deny,Allow
Deny from all
Allow from 192.168.1
</Directory>
...
Sample error log entries (before adding the Deny/Allow from LAN)
[Wed May 06 19:11:23 2009] [error] [client 217.20.115.88] error parsing
URL //: Invalid host/port
[Wed May 06 19:11:40 2009] [error] (70007)The timeout specified has
expired: proxy: HTTP: attempt to connect to 64.233.183.83:80 (*) failed
Sample access log entries (in addition to those quoted earlier and
hundreds of others)
212.95.58.208 - - [06/May/2009:19:11:51 +0100] "GET
http://search.yahoo.com/search?p=summitassociationofrealtors.com+inurl:forum&sm=Yahoo%21+Search&fr=FP-tab-web-t&toggle=1&cop=&ei=UTF-8
HTTP/1.0" 200 15825
89.41.72.163 - - [06/May/2009:19:11:52 +0100] "POST
http://pharmacylab.net/CheckProxy.php HTTP/1.0" 200 86
84.16.252.76 - - [06/May/2009:19:11:42 +0100] "POST
http://4z.com/?11@@.1ad4925c HTTP/1.1" 302 -
*****
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list