: Stopping Apache from serving requests for content from other sites When looking at my Apache2 access logs, I occasionally see GET requests asking my server for a page on a completely different
When looking at my Apache2 access logs, I occasionally see GET requests asking my server for a page on a completely different server. For example:
xx.xx.xx.xx - - [18/Jan/2012:07:12:10 -0500] "GET someotherserver.com/?sometimesmorestuff=likethis HTTP/1.1" 200 389 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12"
I remembered reading something about that in the past, but at the time I had never seen that on my server, so I didn't worry about it.
Now that I am seeing it on my server, I just ran a test and it appears that my site does indeed serve requests for content from other servers. This seems like a bad thing. So, two questions:
A) Is this something I should be worrying about?
B) How can I fix it?
I've tried a little Googling, but I don't even know what this sort of thing is called, and that makes it difficult.
More posts by @Rivera981
3 Comments
Sorted by latest first Latest Oldest Best
I found where I had read about this before. It was in the Apache FAQ:
This is usually the result of malicious clients trying to exploit open proxy servers to access a website without revealing their true location. If you find entries like this in your log, the first thing to do is to make sure you have properly configured your server not to proxy for unknown clients. If you don't need to provide a proxy server at all, you should simply assure that the ProxyRequests directive is not set on. If you do need to run a proxy server, then you must ensure that you secure your server properly so that only authorized clients can use it.
It goes on to explain that a 200 status returned in the log doesn't necessarily mean the proxy request was successful. I don't do any proxying on this server, so it turns out this was a false alarm for me. I wanted to get this out there for anyone else who came across this with similar concerns, though.
The reason I was able to get the third-party site to respond when I tested was because I was running the test from within a network that had a transparent proxy set up. The proxy intercepted and redirected the request; it never even got to my server. Oops! Testing from a more direct connection, I wasn't able to reproduce the 200 statuses I found in the log. When I tried the same GET statements, I got 400s. This irks me a little, but considering what I read in the FAQ, I've decided not to worry about it.
If you have enabled mod_proxy, consider controlling access to prevent use/abuse.
Unless someothersite.com's IP address refers to your server request relating to it should never go to your webserver. However, if their IP address matches your server then your Apache server may handle request from them, but it would be serving up your site, not that of someothersite.com.
If someothersite.com's IP address does match your server and putting someothersite.com into your browser takes you to their site then you've likely been hacked!.
So, step #1 , check the IP address against the IP address(es) of your server.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.