blocking forward proxy attempts

Forum Moderators: phranque

Message Too Old, No Replies

blocking forward proxy attempts

cary anderson

7:45 pm on May 19, 2004 (gmt 0)

I have a question regarding blocking attempts to use my server as a forward proxy. I have the ProxyRequests flag turned off on my server. However, a review of the logs indicate that people are attempting (unsuccesfully) to use the server as a forward proxy. They are either getting a 404 error, or if they put in the base URI they are trying to get to, they will get our home page instead.

What I would like to do is block these addresses from the server, can this be done at the web server, or is this strictly a firewall rule issue? Can I set up allow/deny on the / location and stop them from attempting this?

Thanks for any imput on this issue.

jdMorgan

8:19 pm on May 19, 2004 (gmt 0)

cary,

Welcome to WebmasterWorld [webmasterworld.com]!

At the server level, the typical response would be a 403-Forbidden or maybe a 501-Not Implemented or 400-Bad Request response; You could add mod_access or mod_rewrite directives to block them from accessing your pages/images/etc. and return a 403. But this will not "block them from the server," since these modules are, by definition, "inside" the server. To block them from accessing your server, yes, you'll need to stop them at the firewall.

The basic idea is if you get a request that contains a canonical URL, and the domain in that URL does not match your site's domain(s), then block the request. I've seen these requests come in as
GET /http://www.example.com/page.html
and as
GET http://www.example.com/page.html
(with and without the leading slash), so both cases must be handled.

Note that the test for "not my domain" is needed, since it is allowable to use the first request form shown above, and should be permitted as long as the domain in the URL matches the requested hostname. This is not done often, but setting it up now may help future-proof your implementation.

Jim