- Joined
- Feb 27, 2003
- Messages
- 8,509
Hello,
Apache has released a vulnerability report with regards to the Proxy header.
http://www.gossamer-threads.com/lists/apache/dev/460590
https://httpoxy.org/
In short, we just need to filter out the Proxy header from all requests, as it should only be used internally.
Testing:
I've created this script to help you check if you're affected (which everyone most likely is):
http://files1.directadmin.com/services/all/test_proxy_header.php
Download it to any website/domain, and run it through your browser.
It will give you a good or bad output.
It makes a call to itself via curl (so make sure your domain works from within your server), and passes the "Proxy" header in the curl call.
The output of that internal call will return "good" or "bad" depending on if the internal call received the Proxy header.
How to fix:
The fix varies per setup, but custombuild can do this for you.
Type:
so the configs are updated that filter out the Proxy header.
Note that the change only exists on files1, so the other mirrors may take a few hours before the update.
Ensure that in the "./build version" output, you see "rev 1564" or newer.
rev 1563 does not have the changes in the configs.
If not, you may want to do the fix manually, unless you want to wait for the mirrors to sync up.
If you have CustomBuild 1.1/1.2, manually check the files below to ensure the changes are added, and test with the above testing script.
Verify by running the testing php script again to ensure it says "Good!" in the output.
------------
Manual Fix:
However, if you just want to do this surgically, these are the changes:
Apache
Edit
and add:
to the bottom, and restart httpd, then check again with the above test script.
Nginx & Nginx/proxy
Edit
and add this code to the bottom
and restart nginx, then check again with the above test script.
John
Apache has released a vulnerability report with regards to the Proxy header.
http://www.gossamer-threads.com/lists/apache/dev/460590
https://httpoxy.org/
In short, we just need to filter out the Proxy header from all requests, as it should only be used internally.
Testing:
I've created this script to help you check if you're affected (which everyone most likely is):
http://files1.directadmin.com/services/all/test_proxy_header.php
Download it to any website/domain, and run it through your browser.
It will give you a good or bad output.
It makes a call to itself via curl (so make sure your domain works from within your server), and passes the "Proxy" header in the curl call.
The output of that internal call will return "good" or "bad" depending on if the internal call received the Proxy header.
How to fix:
The fix varies per setup, but custombuild can do this for you.
Type:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build version
./build rewrite_confs
so the configs are updated that filter out the Proxy header.
Note that the change only exists on files1, so the other mirrors may take a few hours before the update.
Ensure that in the "./build version" output, you see "rev 1564" or newer.
rev 1563 does not have the changes in the configs.
If not, you may want to do the fix manually, unless you want to wait for the mirrors to sync up.
If you have CustomBuild 1.1/1.2, manually check the files below to ensure the changes are added, and test with the above testing script.
Verify by running the testing php script again to ensure it says "Good!" in the output.
------------
Manual Fix:
However, if you just want to do this surgically, these are the changes:
Apache
Edit
Code:
/etc/httpd/conf/extra/httpd-default.conf
Code:
<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>
Nginx & Nginx/proxy
Edit
Code:
/etc/nginx/nginx_limits.conf
Code:
fastcgi_param HTTP_PROXY "";
John