How to protect my server from false proxy requests - apache

I have a website, call it
http://www.example.com
Users create a site for themselves and they each get a sub-domain automatically, so something like
http://user1.example.com
http://user2.example.com
In addition, some users can use their own domain name, by creating a A-Record in their domain name DNS setup to point to my server's IP address.
http://www.myownname.com > 10.10.10.10 (my site's server IP address)
In my Apache VirtualHost, it's set up as follows
<VirtualHost 10.10.10.10:80>
ServerName www.example.com
ServerAlias *
UseCanonicalName Off
DirectoryIndex index.php index.html
DocumentRoot /home/public/
<Directory /home/public/>
Require all granted
Allowoverride ALL
</Directory>
</VirtualHost>
Line "ServerAlias *" is there so that I can catch any domain name pointing to my IP address and then handle it via my site.
Everything is working well up to this point.
Now, recently, I've checked my Apache access log and I see strange access such as follows
10.10.10.10 - - [25/Jul/2014:12:48:04 -0700] "GET http://www.some-random-site.com/ HTTP/1.0" 200 1456
It looks like someone is trying to use my server as a proxy to access other sites. I've read quite a few pages in order to block this proxy requests (e.g. https://wiki.apache.org/httpd/ProxyAbuse)
For example, if I use "default virtual host" to block everything except what's specified in my virtual host, all the custom domain names pointing to my server's IP address doesn't work anymore. But it does block the proxy requests.
How can I block proxy requests, while still being able to allow custom domain names via A-Record (or CNAME) pointing to my IP address?

Related

Configuring apache virtual hosts for one domain and multiple IP addresses

I have two apache servers at two separate IP addresses and one domain name (example.com) administer on godaddy.com. I want to use this single domain to point traffic to my two separate servers over ssl.
I set up the first server through a fios router with port forwarding and associated the public IP address with a DDNS address (xxx.ddns.net). My godaddy config looks like this:
Type Name Value
-------------------------------
A # 184.168.131.241
CNAME www xxx.ddns.net
Forwarding
------------
domain https://www.example.com
... and my apache ssl.conf file looks like this:
<VirtualHost *:443>
...
ServerName www.example.com
DocumentRoot /var/www/html
</VirtualHost>
This works fine, but now I want to set up a subdomain ('mysub') so that traffic directed to mysub.example.com gets handled by my second server available at a separate IP address (MY.2ND.IP.ADDR). I've tried all sorts of settings on godaddy and in the ssl.conf file, but to no avail. In particular, I've tried:
Setting godaddy so that traffic sent to subdomain mysub.example.com is redirected straight to MY.2ND.IP.ADDR; it's not at all clear to me if this is possible. (Godaddy has a form under the title "Forwarding" and a subsection therein called "subdomain", but setting that subdomain to mysub and setting "forward to" to http://MY.2ND.IP.ADDR doesn't seem to do anything; what is this 'subdomain' field in the godaddy interface supposed to be used for?)
Directing all traffic to the first server, and configuring apache to proxy traffic for the subdomain on to the second server.
I've tried adding another virtual host element to ssl.conf like so:
<VirtualHost MY.2ND.IP.ADDR:443>
ServerName mysub.example.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass http://MY.2ND.IP.ADDR
ProxyPassReverse http://MY.2ND.IP.ADDR
</Location>
</VirtualHost>
... but this doesn't work either.
In summary, what is the best way to direct traffic for a subdomain to a separate IP address using godaddy and/or apache configurations?

How to make a Permanent redirect to an internal ip address with apache in Ubuntu?

I have the following problem: I want to redirect any request received on the external ip lets say 192.168.x.x, to an internal ip of the same machine, lets say 172.0.0.1. The internal ip has been associated to a name editing the hosts file as follows:
$/etc/hosts
...
...
172.0.0.1 www.example.com
I want to have www.example.com in the HTTP_HOST field of the request header unregarding to which external ip has been requested (In order to have django sites working properly without adding the current ip every time to the site list). Consequently I tried the following:
$/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:443>
ServerName entrypoint.com
Redirect 301 / https://www.example.com:443
</VirtualHost>
<VirtualHost 172.0.0.1:443>
ServerName www.example.com
...
...
</VirtualHost>
When I try to connect from a browser the redirect seems to look for a web domain instead of the local ip. How can I fix this?

Q: Disable access to default vhost and through server IP on Apache 2.4.10

I'm trying to get Apache 2.4.10 on Debian 8 "Jessie" up and running with multiple websites hosted on it. This might be an obvious and already answered question but I've never had the need to set-up a dedicated web host (usually just drop a WAMP server for development needs or pick up a web hosting service) and so far I have not had any luck finding an answer to my problem (I've found the complete opposite answers of what I'm trying to achieve). I need to get this working because apart from just hosting a couple of websites, there will be additional software set-up, for which, a regular web hosting service won't do.
Everything seems to be working as intended but the only problem is that I can't seem to find an optimal configuration which wouldn't just block access to default vhost with 403 - Forbidden. What I need is Apache to ignore requests (not just return a 404 document but tell the browser there's nothing there) from anyone accessing the default vhost or by accessing the server directly through it's designated IP. The designated IP should be left for SSH access only (since I don't have any kind of physical access to this server).
Basically, the web server should be accessible from a web browser through "FQDN-1" and "FQDN-2" (each located in their individual directories) and access to any other web address on this server should be ignored (invoking browser "404 not found" instead of returning a server error document, which would indicate that something is there).
my current vhost files:
<VirtualHost *:80>
ServerName FQDN-1
ServerAlias www.FQDN-1
ServerAdmin mail#FQDN-1
DocumentRoot /var/www/FQDN-1/public_html
ErrorLog /var/www/FQDN-1/logs/error.log
CustomLog /var/www/FQDN-1/logs/access.log combined
</VirtualHost>
And
<VirtualHost *:80>
ServerName FQDN-2
ServerAlias www.FQDN-2
ServerAdmin mail#FQDN-2
DocumentRoot /var/www/FQDN-2/public_html
ErrorLog /var/www/FQDN-2/logs/error.log
CustomLog /var/www/FQDN-2/logs/access.log combined
</VirtualHost>
The default vhost has been disabled through "a2dissite 000-default"
Iptables block everything except tcp port 80 and 22 (SSH access is whitelisted in iptables to just few specific iPs).
You can let the built-in name-based vhosting do the work for you. You can simply setup an additional (non default / non-first listed for *:80) virtualhost with
ServerName your-ip
and put a simple rule like
RewriteEngine ON
RewriteRule ^ .* [F]
or
Redirect 403 /

Why should we create A DNS record for subdomains when we can do it via httpd.conf?

I want to implement a blog in my site with usernames as subdomains like user1.domain.com.
I've read bunch of articles that was mentioned to create an A record like below in DNS:
*.domain.com A 127.0.0.1 ;OR you site ip address
Then use .htaccess to redirect requests from subdomains to a folder in your server.
But I find another approach that was said to just modify your httpd.conf as below:
<VirtualHost *:80>
DocumentRoot /abs/path/to/webroot
ServerName domainname.com
ServerAlias *.domainname.com
<Directory /abs/path/to/webroot>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Then retrieve subdomains via $_SERVER['HTTP_HOST'].
The question is why should someone use htaccess and put pressure on apache and create A DNS record when we can do a simple thing like ServerAlias *.domainname.com in httpd.conf?
I appreciate in advance for your views.
You need to setup both a wildcard DNS record and configure a server alias in httpd.conf to enable the hosting of arbitrary sub domains. They configure completely different things.
Add the wildcard DNS records is what allows clients to determine the IP address of your sub domain. With the wildcard DNS record about user1.domain.com will resolve to 127.0.0.1. If you do not have a DNS record no user1.domain.com will not be a valid name and it will not resolve to an IP address. the DNS record is to allow clients to connect to your server.
The httpd.conf configuration is local to your Apache server. It does not affect clients. The line ServerAlias *.domainname.com will configure Apache to tell it to process the arbitrary sub domains. Client's will not be directly affected by this setting.
You have added the ServerAlias, but for your computer to find that user1.domain.com and user2.domain.com should resolve to 127.0.0.1, you need to update your HOSTS file or DNS Table.
The configuration you have written is for Apache Server for handling the redirects when the user requests the domain. So, essentially, either you need a Dynamic HOSTS file or a service which resolves *.domain.com to your 127.0.0.1 server.
Hope this helps. :)

limit apache virtualhost to one domain?

I have configuration of virtualhost:
<VirtualHost xx.xx.xx.xxx>
ServerName mydomain.com
ServerAlias *
...
</VirtualHost>
everything works fine on mydomain.com. But the problem is that someone linked his domain to my application ip and I want to avoid this. Is it possible to limit virtualhost to only one domain "mydomain.com" - so if somebody will point his domain to my ip - virtualhost will not process this request?
There's no way to prevent it from answering HTTP requests on that IP address. I think that if you were to use name based hosting and then create a vhost with ServerName 1.2.3.4 then it'd be matched for requests to the IP address and you'd be able to add some special behaviour there (return an error code, redirect to the named site, etc).
If you just want to make sure that people don't bookmark the IP address and always see mydomain.com in the browser then have a look at the section on Canonical Hostnames in http://httpd.apache.org/docs/2.0/misc/rewriteguide.html