Package: apache2 Version: 2.4.56-1~deb11u2 Severity: normal X-Debbugs-Cc: raphael.d...@gmail.com
Dear Maintainer, # Context For years, one of my SSL vhost (on :443) has been relying mod_proxy_http to (safely) forward some requests to a backend, acting as a reverse-proxy. ``` # Something like ProxyRequests On SSLProxyEngine On RewriteRule ^/.well-known/.*$ "https://gitlab-foobar/%{REQUEST_URI}"; [P,L] ``` Recently, I experienced the need to (safely) forward some requests (from another server I own) through this server (because of some network/geoblocking problem). I enabled `mod_proxy_connect` and (safely) configured a forward-proxy on :80 (using `Require valid-user / ip`). ``` # Something like ProxyRequests On Authtype Basic AuthUserFile ... <RequireAll> p Require valid-user Require ip ... </RequireAll> ``` # Problem While this :80 forward-proxy vhost was secure, I later discovered, that the original (and almost forgotten) vhost had incidentally become an open-proxy (!) The reasons are: - mod_proxy_connect is globally enabled (affects all vhosts) - AllowCONNECT defaults to "443 563" (affects all vhosts) Said otherwise, *any* secure reverse-proxy vhost configuration become de-facto an insecure open forward-proxy vhost as soon as `mod_proxy_connect` is globally enabled. This sounds contrary to best security practices. (and I bet more than one server out there is silently affected by this insecure-by-default configuration) # Proposed solution I suggest to add a server-wide `AllowCONNECT 0` directive inside `/etc/apache2/mods-available/proxy_connect.load` (virtually disabling CONNECT) so that individual vhosts relying on it would have to explicitely set the value at the vhost-level. It would be more logical (scope/side-effects) and avoid holes being punched into existing (and otherwise secure) reverse-proxy vhosts. # Additional notes To cap it all my proxy-enabled vhost was the first one (lexicographically speaking) making it the destination of all the random internet SSL traffic scanners. Google-friendly list of typical log messages that should raise flags: > AH00898: Connect to remote machine blocked returned by... > AH00939: CONNECT: attempt to connect to ...:443 (...) failed > AH10221: proxy: CONNECT: client flushing failed (-102) > AH10221: proxy: CONNECT: origin flushing failed (-102) -- Package-specific info: -- System Information: Debian Release: bullseye Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.2.0-35-generic (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apache2 depends on: ii apache2-bin 2.4.56-1~deb11u2 ii apache2-data 2.4.56-1~deb11u2 ii apache2-utils 2.4.56-1~deb11u2 Versions of packages apache2 recommends: pn ssl-cert <none> Versions of packages apache2 suggests: pn apache2-doc <none> pn apache2-suexec-pristine | apache2-suexec <none> Versions of packages apache2 is related to: ii apache2 2.4.56-1~deb11u2 ii apache2-bin 2.4.56-1~deb11u2 -- Configuration Files: /etc/apache2/apache2.conf changed [not included] -- no debconf information -- GPG id: 0xF41572CEBD4218F4
