Proxying with Apache2 on Ubuntu

Filed under: tinkering,ubuntu,webcam — jaydublu @ 4:01 pm

Further to earlier problems with using Apache2 on Ubuntu to proxy web requests to devices inside my local network, I think I’ve now sussed it.

Specifically, I’m trying to get Apache to enable external access to a webcam inside my network, where for some reason I can’t enable access to it directly using my router.

I’m now relatively confident that the appropriate way to do it is to enable mod_proxy and mod_proxy_http with sudo a2enmod proxy_http, this then allows use of ProxyPass directive within a vhost for example:

ProxyPass /webcam

A little knowledge is a dangerous thing

Filed under: tinkering,trundle,ubuntu — jaydublu @ 1:32 pm

I like to think I know a little bit about most things surrounding the Internet, and whilst not claiming to be an expert I like to think I’m at least competent in most things I turn my hand to.

But every now and then I get caught out, and reminded how dangerous it can be to tinker with things you don’t fully understand – there are some people out there with far too much time on their hands.

As part of my Trundle project, I attempted to make a webserver running on the beast’s eventual operating system available to the public Internet – not for public consumption mind, but so I can see it when I’m out and about. Now I didn’t want to put the whole thing on a public IP address, just a little bit of it – and apart from anything else I’ve already got an externally available webserver on my Internet connection.

So my idea was to use mod_rewrite to proxy a set of urls to the internal server’s private IP address. I’m sure it’s something I’ve done before in other Apache instances, and it sounded feasible, but for once Ubuntu fought back a bit. Still, I felt I’d prevailed.

Now it turns out I’d opened up a vulnerability to someone, somewhere, to do something with my network. It was cunningly disguised in that the traffic wasn’t enough to be hugely obvious, but I was playing with awstats and got curious about some odd traffic.

It turns out I’d unintentionally configured my webserver to allow anyone to use it to proxy requests to anywhere else. Short of cloaking the eventual source (or destination?) of the traffic I can’t see what was gained – the requests seem mostly to have been for banners or clickthrus in flash game sites. I wasn’t hosting the files so nothing was gained in terms of bandwidth, and it doesn’t seem like a ddos attack.

Anyway, I’ve disabled the proxying functionality now, and checking the logs although I’m still getting the requests they now get a 403 response. I hope they’ll die out eventually, or will I have to get my fixed IP address changed do you think?

Ubuntu Apache2 mod_rewrite proxy rules

Filed under: tinkering — jaydublu @ 5:45 pm

I had a big problem getting an Ubuntu Feisty Fawn Apache2 instance to use proxying rewrite rules.

Firstly, mod_rewrite is not enabled by default, which is probably no bad thing. So ‘sudo a2enmod rewrite’ fixes that.

Now I can use a rule to allow my main server to proxy requests through to a smaller server: ‘RewriteRule ^(.*)$$1 [P]’ but no – I’m getting a ‘403 Forbidden’ error. Checking the Apache error log I find ‘attempt to make remote request from mod_rewrite without proxy enabled’

So proxying needs enabling. If I do ‘sudo a2enmod proxy’ the error changes to ‘client denied by server configuration’ so I try changing ProxyRequests to on in /etc/apache2/mods-available/proxy.conf, and the very insecure ‘Allow from all’ in the proxy block.

Now I’m getting a warning ‘proxy: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.’ in the error log – so I try ‘sudo ln -s ../mods-available/proxy_http.load /etc/apache2/mods-enabled/proxy_http.load’ to manually add the http sub_module and bingo!

Now to tidy up the mess – other than the manually created symbolic link, all I’ve done is tweak /etc/apache2/mods-available/proxy.conf thusly:

<IfModule mod_proxy.c>
#turning ProxyRequests on and allowing proxying from all may allow
#spammers to use your proxy to send email.

ProxyRequests On

# <Proxy *>
# AddDefaultCharset off
# Order deny,allow
# Deny from all
# #Allow from 192.168.1.
# </Proxy>

Order deny,allow
Allow from all

# Enable/disable the handling of HTTP/1.1 “Via:” headers.
# (“Full” adds the server version; “Block” removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block

ProxyVia On

That seems to be working, although I’m sure there must have been a tidier way.

Postscript – WARNING: This has just had unintended consequences – I seem have enabled some grebs to use my network to proxy requests. Other than cloaking the original destination of the traffic (and it seems to be most banner ads and clickthru redirects, from a few IP addresses) I don’t see what has been gained, and if I hadn’t been closely examining logs and traffic recently it could have slipped past my attention.

So with hindsight – think very carefully about enabling proxy-http modules – I don’t know exact details of what went on, but I now regret doing it!