Looks like your apache acts as a proxy. Disable mod_proxy in the server config, and it will stop.

Hi bird,

We need the proxy, because we use two URL's which lead to the same site, but one is a global site, the other one is US specific. That way we can check the servername in the scripts to display the regional content.

site.mydomain.com/subsite1/ leads to the global site, site.mydomain.com/subsite1/us/ leads to the US specific site. But both sites use the same scripts.

Below is a piece of the httpd.conf file. I have also a <VirtualHost> directive for subsite1_us.mydomain.com and subsite1.mydomain.com

<VirtualHost *>
ServerName site.mydomain.com
DocumentRoot /path/to/webroot
ErrorLog /path/to/logs/httpd-error.log
TransferLog /path/to/logs/httpd-transfer.log

ProxyRequests on
ProxyPass /subsite1/us/ [subsite1_us.mydomain.com...]
ProxyPassReverse /site1/us/ [site1_us.mydomain.com...]
ProxyPass /subsite1/ [subsite1.mydomain.com...]
ProxyPassReverse /site1/ [subsite1.mydomain.com...]
ProxyVia on
</VirtualHost>

Can I reject unauthorized use of the proxy? Or is there any other option available to handle this issue?

Thanks again!

Take off the ProxyRequests on or set it to off. None of the ProxyPass and ProxyPassReverse directives needs it. See [httpd.apache.org...]

Thanks gergoe! That did it.

I should deny access to the proxy for anyone outside our network. Just like the example from Apache.

Also thanks to bird!

Hi, I/we yelled victory to soon!
The traffic reduced a lot but unfortunaly I still have people coming through my server. I have implemented the security recommendation by Apache:

<Directory proxy:*>
Order deny,allow
Deny from all
Allow from ****.xxx.xxx.0
</Directory>

where xxx.xxx.xxx.0 is my network.

Will the traffic go away automatically after a while, or is there still something wrong?

Thanks for helping me out!

Obviously, your server has made the rounds in spammer circles, and some of them keep trying. You can check from an external machine if the proxy is still open. If it is closed now (as it seems to be), then the attempts will reduce over time and eventually go away completely.

Hello bird,

How exactly do I check for an open proxy from an external machine? Or is this to complicated to explain?

Secondly, I still get those lines in my transfer log:

****.****.xxx.91 - - [12/Jul/2004:14:26:16 +0200] "GET [google.com...]
&btnG=Google%E6%90%9C%E7%B4%A2&lr= HTTP/1.0" 404 285
xxx.xxx.xxx.245 - - [12/Jul/2004:14:26:18 +0200] "POST [not_my_site.biz...] HTTP/1.0" 404 298
xxx.xxx.xxx.245 - - [12/Jul/2004:14:26:18 +0200] "POST [aul.fiu.edu...] HTTP/1.0" 404 297

Does that mean that the proxy is still open? In my httpd.conf ProxyRequests is explicitly set to off.

[edited by: jdMorgan at 3:04 pm (utc) on July 12, 2004]
[edit reason] Removed specific per TOS. [/edit]

The 404-Not Found response code in each of your log entries above indicates that the page was not found. When you see the 200-OK response code for an unrecognized URL, then you need to worry.

The simplest way to check is to type a URL like http://www.yourdomain.com/http://yahoo.com/ into your browser address bar. If you see the yahoo home page, you've got an open proxy. This is a very common way that spammers use to find open proxies, but they automate it.

Jim

jdMorgan, I will keep monitoring the logs, just to be sure. :)

I know basic stuff of networks and unix, but I've learned a bit more today. Thanks to everyone!

Hi, things aren't completely over yet.

In the log files I see that most of the "GET" requests get a 404 response. However, some of them still get a 200. What does that mean?

Also, all CONNECT and HEAD requests receive a 200 response code. Can I deny that somehow?

Thanks in advance!

HEAD requests are fine, they're common from caching proxies, such as those used by AOL.

CONNECTs are a problem. You can block those using <Limit>, <LimitExcept>, or using mod_rewrite and testing %{HTTP_METHOD}.

Here's a snippet of mod_rewrite code I use in .htaccess on several sites:

# BLOCK unsupported HTTP methods
RewriteCond %{REQUEST_METHOD} !^(GET¦HEAD¦OPTIONS¦POST¦PROPFIND¦TRACE)$
RewriteRule .* - [F]
#
# BLOCK attempts to use our server as a proxy, but allow absolute URIs
RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)./?http:// [NC]
RewriteCond %{THE_REQUEST} !^(GET¦HEAD¦POST)./?http://(www\.)?mydomain\.com/ [NC]
RewriteRule .* - [F]

This simply demonstrates one method of controlling request methods and proxy requests. Do look into the others though, as they may be more suitable to your server setup and maintenance preferences, especially since you have access to httpd.conf.

Jim

As far as i know the http-ssl protocol uses the conenct method to maintain the connection between the peers, so if you have ssl configured then you'd be better not to disable it. Of course this means also that if you have the proxying enabled then other people can use your server to get connected to https servers, but if you disabled the proxy support then it shouldn't be a problem at all.