CONNECT login.icq.com:443 ....

Forum Moderators: phranque

Message Too Old, No Replies

CONNECT login.icq.com:443 ....

am I using the right RewriteEngine On?

tito

6:56 pm on Aug 6, 2004 (gmt 0)

Hello,

I have found several logs like this one:

www.mydomain.org 213.xx.xx.**** - - [05/Aug/2004:16:57:48 -0400] "CONNECT login.icq.com:443 HTTP/1.0" 302 212 "-" "-"

they are trying to use my server as proxy? correct?
is it right to add the following rewrite to make 'em stop?

RewriteCond %{THE_REQUEST} ^GET\ http [NC,OR]

Thanks in advance

jdMorgan

2:08 am on Aug 7, 2004 (gmt 0)

tito,

You can try this:


# BLOCK unsupported HTTP methods
RewriteCond %{REQUEST_METHOD} !^(GET¦HEAD¦OPTIONS¦POST¦PROPFIND¦TRACE)$
RewriteRule .* - [F]

You may also want to block proxy attempts, if you see those in your logs:


# BLOCK attempts to use our server as a proxy, but allow absolute URIs (change example.com to your domain)
RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)./?http:// [NC]
RewriteCond %{THE_REQUEST} !^(GET¦HEAD¦POST)./?http://(www\.)?example\.com/
RewriteRule .* - [F]

Notice: Posting on this board changes the solid pipe characters to broken pipe "¦" characters. You must edit the code and change them back to solid pipes before attempting to use this code.

Jim

tito

12:41 pm on Aug 7, 2004 (gmt 0)

Thank you Jim,

Please I have a question about:
RewriteCond %{REQUEST_METHOD}!^(GETŚHEADŚOPTIONSŚPOSTŚPROPFINDŚTRACE)$

I'm already using:
RewriteCond %{REQUEST_METHOD}!^(GETŚHEADŚPOST) [NC,OR]

it will becomes reduntant while placing the new one you suggest? will I have to take it away?

also I see it ends with $
if it's not the last rewrite of my list i will have to add [NC,OR] after $
correct?

I'm quite confused about the second example you provide;
# BLOCK attempts to use our server as a proxy, but allow absolute URIs (change example.com to your domain).
can you please explain me what does it mean allowing absolute URIs? there's a risk in allowing absolute URIs?

Anyway, could be enough to place just the
# BLOCK unsupported HTTP methods
to stop that "CONNECT login.icq.com:443 HTTP/1.0"?!?

Do You think it will be better to place both of them?

Thank you so much for your explanations
tito

jdMorgan

6:28 pm on Aug 7, 2004 (gmt 0)

tito,

> it will becomes reduntant while placing the new one you suggest? will I have to take it away?

You won't *have to* remove it, no. Use my code as an example to make yours work. Please see our charter for links to learn more about mod_rewrite.

> also I see it ends with $
> if it's not the last rewrite of my list i will have to add [NC,OR] after $, correct?

The "$" ends the pattern, because the pattern requires an exact match. You can use the code exactly as I posted it, independent of your other code. Or you can combine it with your code as you see fit. There is no need to use [NC], though, because REQUEST_METHOD is required to be uppercase by the HTTP protocol.

> I'm quite confused about the second example you provide;
> # BLOCK attempts to use our server as a proxy, but allow absolute URIs (change example.com to your domain).
> can you please explain me what does it mean allowing absolute URIs? there's a risk in allowing absolute URIs?

If you install that code, then

"GET [yourdomain.com"...] is allowed, and is called an absolute URI, but
"GET [someotherdomain.com"...] is not allowed, because it is an attempt to use your server as a proxy.

> Anyway, could be enough to place just the
> # BLOCK unsupported HTTP methods
> to stop that "CONNECT login.icq.com:443 HTTP/1.0"?!?
>
> Do You think it will be better to place both of them?

I posted the code because I thought it might be useful to you. Use it if you need it.

Jim

tito

9:14 pm on Aug 7, 2004 (gmt 0)

Thanks again Jim,

still learning mod_rewrite, thanks to yr explanations n examples I'm learning more each day, thanks so much, I've worked it out.

tito

lemat

1:18 pm on Aug 8, 2004 (gmt 0)

Tito, I believe the easiest way to prevent OpenProxy is to not load any *proxy modules in httpd.conf instead of doing complex mod_rewrite.

See LoadModule directive in httpd.conf

The profit on system resources is obvious.

tito

2:10 pm on Aug 8, 2004 (gmt 0)

Hi Lemat,

if LoadModule directive into my httpd.conf are those listed on top of it, where it says:

# Documentation for modules is in "/home/httpd/manual/mod" in HTML format.
LoadModule env_module modules/mod_env.so
LoadModule define_module modules/mod_define.so
...etc..

I cannot see any proxy module.
not even where it says: Extra modules...

so it shouldn't be loaded any proxy module, correct?

the fact that I've got a 302 code response (redirect) could mean that the request was sent to an error page somehow?

Thanks for your suggestion
tito

lemat

2:21 pm on Aug 8, 2004 (gmt 0)

there is a way to check this out:

telnet your_server 80
CONNECT login.icq.com:443 HTTP/1.0 [press Enter twice]

- you shall see what your server did

tito

2:23 pm on Aug 8, 2004 (gmt 0)

seems that there's no chance to telnet on my server, just ssh, but i haven't done ssh yet, i'm just a beginner. any other way to check it?

lemat

2:34 pm on Aug 8, 2004 (gmt 0)

this telnet doesn't "telnet" it connects to a port 80 commonly used by a web servers...

type exactly as I said.
telnet 1.2.3.4 80
or
telnet www.your_domain.tld 80

where 1.2.3.4 is IP of your server

tito

2:46 pm on Aug 8, 2004 (gmt 0)

done via my windows command, but it says not possible to get a connection. am i missing something?

tito

2:54 pm on Aug 8, 2004 (gmt 0)

done it, i'm inn, but i cannot type anything.. keep trying..

tito

3:09 pm on Aug 8, 2004 (gmt 0)

done it,
once connected via telnet i've typed:
CONNECT login.icq.com:443 HTTP/1.0
and pressed (enter) twice

it shows:
400 bad request
invalid URI in request CONNECT login.icq.com:443 HTTP/1.0

what does it mean?

lemat

3:56 pm on Aug 8, 2004 (gmt 0)

maybe you misstyped one of the chars?
because this should give you 302 message (as previous), not 400
my apache 2 configured without *proxy modules and jdMorgan mod_rewrite rules gives 403 Forbidden

tito

4:33 pm on Aug 8, 2004 (gmt 0)

in fact, sorry for the mess, i've just re-done the telnet and it comes 302 now, showing like this:

302 Found
The document has moved here <a href="http://www.mydomain.com...

does it mean that my proxy module is on?!?

jdMorgan

6:57 pm on Aug 9, 2004 (gmt 0)

It looks to me like you may have defined your index page as the target for an ErrorDocument 404 directive, and specified the full URL of that page, against the recommendations given in the ErrorDocument documentation. If this is the case, your server will never return a 404-Not Found response.

Jim

tito

10:35 pm on Aug 9, 2004 (gmt 0)

Hi Jim,

That's strange,
my 404 is properly working, I can see it by my logs and by calling files that does not exist on my server.

This is a skip of my htaccess incl. the error404 directive:

ErrorDocument 401 /401.php
ErrorDocument 403 /403.php
ErrorDocument 404 /404.php
ErrorDocument 500 /500.php
SetEnvIf Request_URI "(403\.php¦robots\.txt)$" allowit

Order Deny,Allow
deny from 128.****.xx.xx
etc...
Allow from env=allowit

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{THE_REQUEST} ^(GET¦HEAD¦POST)./?http:// [NC]
RewriteCond %{THE_REQUEST}!^(GET¦HEAD¦POST)./?http://(www\.)?mydomain\.tld/
RewriteRule!403\.php$ - [F]

Please, my 404.php page has a couple of <? include('file.txt')?> in it (in common with all other pages on the site), do you believe that this could cause the 302 response?

Thanks in advance for your help,

tito

jdMorgan

2:24 am on Aug 10, 2004 (gmt 0)

I don't think an include can cause such a problem, but check whether your script outputs response headers, and that they are correct in all cases.

Jim

tito

1:53 pm on Aug 10, 2004 (gmt 0)

Jim,
I've checked all my included scripts and they should be fine.
however I've took away all the included scripts from all my error pages and tried the telnet procedure once more; same 302 is occuring.
Please, any other possible reason why this is happening?!?
Thanks in advance

tito