31 July 2012

If you are running a rewrite-based reverse proxy, here are a few things to check to lock it down.

First, ProxyRequests is not required. Although the proxy module has to be enabled in Apache so that it is available to the Rewrite module, you do not need to activate any of its features directly. Either set the configuration to "off" or simply delete it. This turns off the biggest potential security hole.

Second, disable unwanted submodules. Just remove mod_proxy_connect and mod_proxy_ftp if you do not need them. If you are just running a web server, then you only need mod_proxy and mod_proxy_http. Although the other modules should be benign if the configurations are solid, loading these modules adds unnecessary overhead and creates the potential for configuration-based security holes.

Third, add a LimitExcept tag to the base directory of your web site to restrict access to your site to GET POST HEAD. Some other HTTP headers that might be appropriate for some use cases include: OPTIONS PROPFIND REPORT PUT. This relates to proxying because request type restriction will reduce what a hacker can accomplish if they do manage to get a request to proxy through your server. This configuration would look something like this:

<Directory /var/www>
  <LimitExcept GET POST HEAD>
    Order deny,allow
    Deny from all

blog comments powered by Disqus