Evitar que Ips da Internet usem o mod_proxy

[cldn]

Olá!
Instalei o módulo apache-mod_proxy para fazer o redirecionamento via url para outro servidor na rede interna. Qto. a isto, está funcionando perfeitamente. Depois de instalado e configurado, notei que o servidor ficara cada vez mais lento e sem recursos ... Verificando os logs, encontrei isto :

206.51.230.64 - - [23/Nov/2009:20:24:46 -0200] "GET http://www.fosoho.com/book/liuyanban_fb.asp HTTP/1.1" 500 70
206.51.230.64 - - [23/Nov/2009:20:24:41 -0200] "GET ¡Ø¤¤¤Ð¤é¤*ËÌ´Ø.com¡Ù °ñ¾ë¸©¤ÎËÌ´ØÅ켫ư¼ÖÆ»±èÀþÃÏ°è¾ðÊó - ÃÏ°è»ñ¸»°ìÍ÷ : ÞÁ¾Â¼«Á³¸ø±à¥*¥ã¥ó¥×¾ì by ibaraki-kitakan HTTP/1.1" 200 34184
59.56.109.79 - - [23/Nov/2009:20:24:47 -0200] "GET http://redvase.bravenet.com/track/im...084/1259015079 HTTP/1.0" 200 43
66.232.123.237 - - [23/Nov/2009:20:24:47 -0200] "GET http://imagem2.buscape.com.br/thumbs/cn/img898671r3.gif HTTP/1.1" 200 3680
78.109.164.60 - - [23/Nov/2009:20:24:46 -0200] "GET New homes in BL5 3RW - Find a New Home for sale HTTP/1.1" 200 56973
188.72.202.144 - - [23/Nov/2009:20:24:46 -0200] "GET http://www.papelesdelpsicologo.es/imprimir.asp?id=582'%22 HTTP/1.0" 500 17746


Estao usando meu apache como proxy .. !!
Alterei o paramentro ProxyRequests de On para Off , mas não adiantou ... Usei tbm a dica neste
site - [Segurança] Evitar acesso ao MOD_PROXY para IPs internet | HITK - mas nao deu certo tbm ...

O log chega a registrar mais de 1 milhao de acessoes num prazo de 24hrs...

Qquer idéia, dica etc, é bem vinda.

Uso o apache-2.2 e por enqto desliguei o serviço até resolver isto.

[ferdam]

Estao usando meu apache como proxy .. !!
Exatamente ! Há inclusive uma advertência na documentação do proxy_mod no site do Apache :

Warning

Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large.

Note também que não adianta passar ProxyRequests para off para bloquear, tem que retirá-lo até que você esteja certo que seu servidor esteja seguro.

Poste como você configurou o exemplo do hitk.

De qualquer forma, já te adianto que milhares de mensagens "client denied by server configuration" aparecerão no log do Apache.

[cldn]

O hitk já retirei esta configuração, mas havia configurado desta maneira:

ProxyRequests On
SetEnvIf Host "localhost" hitk
SetEnvIf Host "hitk\.com.br$" hitk

Order deny,allow
Allow from env[equal tongue]hitk

ProxyVia Block


Retirei o ProxyRequests e abaixo segue o arquivo de configuração do módulo mod_proxy:

<IfDefine HAVE_PROXY>
<IfModule !mod_proxy.c>
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
</IfModule>
</IfDefine>


<IfModule mod_proxy.c>

# <Proxy> - Container for directives affecting resources located in the proxied location
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from all
# Allow from .your-domain.com
</Proxy>


# <ProxyMatch> - Container for directives affecting resources located in the proxied location, in regular expression syntax

# ProxyRequests - on if the true proxy requests should be accepted
#ProxyRequests Off

# ProxyRemote - a scheme, partial URL or '*' and a proxy server
#ProxyRemote * http://firewall.mycompany.com:81
#ProxyRemote goodguys.com http://mirrorguys.com:8000
#ProxyRemote * http://cleversite.com
#ProxyRemote ftp http://ftpproxy.mydomain.com:8080

# ProxyRemoteMatch - a regex pattern and a proxy server
#ProxyRemoteMatch ...

# ProxyPass - a virtual path and a URL
#ProxyPass /mirror/foo/ http://backend.example.com/

# ProxyPassReverse - a virtual path and a URL for reverse proxy behaviour
#ProxyPassReverse /mirror/foo/ http://backend.example.com/

# ProxyPassReverseCookiePath - Path rewrite rule for proxying cookies
#ProxyPassReverseCookiePath / /mirror/foo/

# ProxyPassReverseCookieDomain - Domain rewrite rule for proxying cookies
#ProxyPassReverseCookieDomain backend.example.com public.example.com

# ProxyBlock - A list of names, hosts or domains to which the proxy will not connect
#ProxyBlock joes-garage.com some-host.co.uk rocky.wotsamattau.edu

# ProxyReceiveBufferSize - Receive buffer size for outgoing HTTP and FTP connections in bytes
ProxyReceiveBufferSize 0

# ProxyIOBufferSize - IO buffer size for outgoing HTTP and FTP connections in bytes
ProxyIOBufferSize 8192

# ProxyMaxForwards - The maximum number of proxies a request may be forwarded through.
ProxyMaxForwards 10

# NoProxy - A list of domains, hosts, or subnets to which the proxy will connect directly
#NoProxy .mycompany.com 192.168.112.0/21

# ProxyDomain - The default intranet domain name (in absence of a domain in the URL)
#ProxyDomain .mycompany.com

# AllowCONNECT - A list of ports which CONNECT may connect to
#AllowCONNECT 443 563

# ProxyVia - Configure Via: proxy header header to one of: on | off | block | full
ProxyVia On

# ProxyErrorOverride - use our error handling pages instead of the servers' we are proxying
ProxyErrorOverride Off

# ProxyPreserveHost - on if we should preserve host header while proxying
ProxyPreserveHost Off

# ProxyTimeout - Set the timeout (in seconds) for a proxied connection. This overrides the server timeout
ProxyTimeout 300

# ProxyBadHeader - How to handle bad header line in response: IsError | Ignore | StartBody
ProxyBadHeader IsError

# BalancerMember - A balancer name and scheme with list of params
#ProxyPass /special-area http://special.example.com/ smax=5 max=10
#ProxyPass / balancer://mycluster stickysession=jsessionid nofailover=On
#<Proxy balancer://mycluster>
#BalancerMember http://1.2.3.4:8009
#BalancerMember http://1.2.3.5:8009 smax=10

# Less powerful server, don't send as many requests there
#BalancerMember http://1.2.3.6:8009 smax=1 loadfactor=20
#</Proxy>

# ProxyStatus - Configure Status: proxy status to one of: on | off | full
#ProxyStatus full

# ProxySet - A balancer or worker name with list of params
#ProxySet ?

</IfModule>

<IfModule mod_proxy_balancer.c>

<Location /balancer-manager>
SetHandler balancer-manager
Order Deny,Allow
Deny from all
#Allow from .foo.com
</Location>

</IfModule>


E no httpd.conf:

<VirtualHost *:80>
ServerName server2.dominio.com.br
ProxyPass / http://server2.dominio.com.br:80/
ProxyPassReverse / http://server2.dominio.com.br:80/
Redirect permanent / http://server2.dominio.com.br:80
</VirtualHost>

[cldn]

Bem, fiz tudo qto é tipo de configuracao no módulo mod_proxy e de nada adiantou e isto, pelo que pude ler, é normal:

https://under-linux.org/f108149-impe...proxy-tem-como