Prevent fraudulent use of your proxy web server

Prevent fraudulent use of your proxy web server
We offer some HTTP services from our company HSZ (High security zone) trough an Apache proxy server situated in the DMZ (Demilitarized Zone). The Apache forwards external requests through the company's firewall to the internal Apache web server. This path is marked with "A = OK" in the following figure. Last week, we suddenly recovered some very strange URL's in the logfile of the proxy Apache Server like the following: 62.158.172.221 "GET http://www.sexranking.de/sexranking.js 62.158.172.221 "GET http://www.sexranking.de/cgi/weblist.cgi 62.158.172.221 "GET http://www.sexranking.de/cgi/ads.pl 62.158.172.221 "GET http://home.t-online.de/eroticgirl/hardcore.gif This URL's cannot be located on our internal Apache webserver - what's happen ? Our Apache proxy server was misused by some poor people to download sex articles from other locations in the internet. Why is this possible ? If you configure your Apache proxy server with ProxyRequests On, then the access path marked with "B = not allowed" will be possible. However setting ProxyRequests to ' Off ' does not disable use of the ProxyPass directive, which is necessary for the access path "A = OK". Due to this, we changed our Apache configuration file in the following way: # Prevent fraudulent use of proxy server <IfModule mod_proxy.c> ProxyRequests Off </IfModule> # VirtualHost configured to access internal service <VirtualHost 196.12.112.37:8612> ServerAdmin martin dot zahn at akadia dot ch DocumentRoot "/opt/www" ServerName mail2.mydomain.tld <IfModule mod_proxy.c> ProxyPass / http://192.168.38.27/ ProxyPassReverse / http://192.168.38.27/ </IfModule> </VirtualHost> How to check both access path's ? Open Netscape Navigator an enter the IP-Address 196.12.112.37 and Port Number 8612 in the Proxy Configuration (Edit -> Preferences -> Advanced -> Proxies -> Manual Proxy Config). Now, try to connect from Netscape to e.g. https://www.akadia.com, this should no more possible which means that access path "B = not allowed" is forbidden - that's what we want.

Prevent fraudulent use of your proxy web server

We offer some HTTP services from our company HSZ (High security zone) trough an Apache proxy server situated in the DMZ (Demilitarized Zone). The Apache forwards external requests through the company's firewall to the internal Apache web server. This path is marked with "A = OK" in the following figure.

Last week, we suddenly recovered some very strange URL's in the logfile of the proxy Apache Server like the following:

62.158.172.221 "GET http://www.sexranking.de/sexranking.js
62.158.172.221 "GET http://www.sexranking.de/cgi/weblist.cgi
62.158.172.221 "GET http://www.sexranking.de/cgi/ads.pl
62.158.172.221 "GET http://home.t-online.de/eroticgirl/hardcore.gif

This URL's cannot be located on our internal Apache webserver - what's happen ?
Our Apache proxy server was misused by some poor people to download sex articles from other locations in the internet. Why is this possible ?

If you configure your Apache proxy server with ProxyRequests On, then the access path marked with "B = not allowed" will be possible. However setting ProxyRequests to ' Off ' does not disable use of the ProxyPass directive, which is necessary for the access path "A = OK". Due to this, we changed our Apache configuration file in the following way:

# Prevent fraudulent use of proxy server

<IfModule mod_proxy.c>
ProxyRequests Off
</IfModule>

# VirtualHost configured to access internal service

<VirtualHost 196.12.112.37:8612>
ServerAdmin martin dot zahn at akadia dot ch
DocumentRoot "/opt/www"
ServerName mail2.mydomain.tld
<IfModule mod_proxy.c>
ProxyPass / http://192.168.38.27/
ProxyPassReverse / http://192.168.38.27/
</IfModule>
</VirtualHost>

Open Netscape Navigator an enter the IP-Address 196.12.112.37 and Port Number 8612 in the Proxy Configuration (Edit -> Preferences -> Advanced -> Proxies -> Manual Proxy Config).

Now, try to connect from Netscape to e.g. https://www.akadia.com, this should no more possible which means that access path "B = not allowed" is forbidden - that's what we want.