Open Apache Proxy? - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Open Apache Proxy?

Is someone stealing my bandwidth?

BwanaZulia

3:15 pm on Jul 17, 2004 (gmt 0)

10+ Year Member

I got a support ticket from my ISP after I asked why I saw a huge 3 x spike in my bandwidth on the 14th of July.

"I believe this traffic was caused by the proxy feature of your web server. One host generated thousands of hits through it on the 14th:
[root@example logs]# pwd
/usr/local/apache2/logs
[root@servername logs]# tail -60000 access_log¦ grep 14/Jul ¦ grep "http://www.stats_company.kom/aspx/login.aspx?sid=somestatsfree" ¦ wc -l
37208
Each one of those hits is about 18 KB, for a total of around 670 MB of bandwidth. This was all caused by 24.86.*.197.
This system appears to be an open HTTP proxy. I was able to request an arbitrary page through it. Unless this is your intent, I recommend closing it to everyone but a few specific hosts. Please note that this is a custom installation of Apache, so our support of it will be limited."

I have never heard of this before. Can anyone point me in the right direction?

BZ

[edited by: jdMorgan at 3:41 pm (utc) on July 17, 2004]
[edit reason] Obscured specifics per TOS [/edit]

jdMorgan

3:48 pm on Jul 17, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

See this recent thread [webmasterworld.com] on closing open proxies.

For others who might read this thread, try this test: Put the url http://www.<yourdomain>.com/http://www.webmasterworld.com/
into your browser address bar. If you get WebmasterWorld's home page, then you have an open proxy!

Jim

BwanaZulia

4:17 pm on Jul 17, 2004 (gmt 0)

10+ Year Member

Interesting... I tried that test and it did not work.

I do have ProxyPass enabled on my server, becuase I have Apache sitting in front of Zope (Web Application Server), but I am not sure how that opens it up for everything? The commands are in the virtual servers.

BZ

jdMorgan

7:39 pm on Jul 17, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Well, I'm far from a proxy set-up guru, and know nothing of Zope. Hopefully, someone who knows more about these subjects will stop in and can help.

In the meantime, check out the Apache mod_proxy documentation and see if it gives any clues as to what your problem may be.

Jim

BwanaZulia

4:20 pm on Jul 31, 2004 (gmt 0)

10+ Year Member

So now I found the ProxyRequest in the httpd.conf and turned it to off.

I still could not validate the the proxy request was working, but since I got hit with a 5GB spike yesterday (6 times my normal traffic) I took another look.

I have now studied a month worth of logs and it looks like before a lot of requests were being validated and now after the change, they are all getting 404s. Which seems better.

BZ

jdMorgan

4:47 pm on Jul 31, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

> Which seems better.

Yeah, much better!

You'll likely continue to see 'attempts' for awhile, but they will slowly drop off as the word gets out that your proxy is closed, and they remove your IP from the lists.

I'd be interested in your observations after a few days of blocking them.

Jim

BwanaZulia

7:28 pm on Jul 31, 2004 (gmt 0)

10+ Year Member

Now if I could only figure out how to block hot linking of images while still using ProxyPass I would be very happy.

BZ

BwanaZulia

7:35 pm on Jul 31, 2004 (gmt 0)

10+ Year Member

I am still getting some 302s in my logs? Is that ok?

BZ

jdMorgan

2:12 am on Aug 1, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Hmmm... I don't know. Have you got some 302 temporary redirects on the requested URLs?

Jim

BwanaZulia

2:51 am on Aug 1, 2004 (gmt 0)

10+ Year Member

Here is one... still coming through... (my IP not real)

22.96.04.09 - - [31/Jul/2004:21:48:51 -0500] "GET [someplace.com...] HTTP/1.0" 302 14 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.1) Gecko/20021104 Chimera/0.6"

BZ