2

I need some help with securing my test XAMPP server as so far nothing I have tried seems to work. I am running Apache 2.4.7 on Windows 7 machine.

The setup is the following:

I am redirecting all traffic coming on my server IP, port 80 to a java application running on localhost:5000.

The code doing all this in httpd-vhosts.conf file is the following:

<VirtualHost *:80> 
  ProxyPreserveHost On
  ProxyRequests Off
  ServerName demo.website.com
  ServerAlias website.com
  ProxyPass / http://localhost:5000/
  ProxyPassReverse / http://localhost:5000/
  <Proxy *>
        Order deny,allow
        Allow from all
  </Proxy>
</VirtualHost>

The question is, how do I deny traffic from specific external IP address?

It seems I cannot use .htaccess because requests on port 80 are redirected to a java application, not a xampp folder containing web content.

Also, the code below does not do the job either:

<Proxy *>
    order allow,deny
    deny from 193.37.XXX.XX
    allow from all
</Proxy>

What other options are there?

Any suggestions?

EDIT:

After the responses I got, it looks I have been doing the proxy reverse entirely wrong opening exploitable gaps in the server. Based on the answer provided, I have modified my initial code.

Since I am using similar insecure code for port 443 and I cannot get apache to start after the new modifications, I have posted a new question HERE.

user3132858
  • 143
  • 2
  • 6
  • 3
    You should remove the entire `` section from you configuration entirely. Do not put this in your configuration, no matter what else you read on the Internet. It configures a _forward_ proxy and in this case opens your server to abuse, and it is not necessary to configure a _reverse_ proxy, which is what you want. – Michael Hampton Sep 17 '19 at 22:06
  • Hi Michael, thank you for your answer! I understand what you are saying and I had the same concerns as well. How do you suggest that I handle this - I do need to have the traffic coming on my external IP address to the localhost port 5000? – user3132858 Sep 18 '19 at 06:02
  • Your edit would really be a new question since it is a different problem. Generally, when Apache can't start you can find the reason for it in the log files. – Gerald Schneider Sep 18 '19 at 09:14
  • A blind guess would be that the module `mod_proxy_wstunnel` is not loaded. – Gerald Schneider Sep 18 '19 at 09:16
  • Thank you Gerald, I will set the EDIT as new question. The `mod_proxy_wstunnel` is enabled and the old and insecure code works just fine. The issue is with the vhosts file, I guess. – user3132858 Sep 18 '19 at 09:32

1 Answers1

4

As @MichaelHampton already commented: remove the following settings immediately: 

<Proxy *>
    order allow,deny
    deny from 193.37.XXX.XX
    allow from all
</Proxy>

Those are not needed for a reverse proxy but instead used to configure a forward proxy , open to almost anybody, which will allow your server to be abused. ( Fortunately you still also used ProxyRequests off )

BTW when you do need a forward proxy, please don't use Apache httpd but a more specific product.

It seems I cannot use .htaccess ...

IMHO You're already heading the wrong direction with your intention to create a .htaccess files, which is my pet peeve, quoted from from the manual on .htaccess files:

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block in the main Apache configuration file(s), as it will have the same effect with better performance) and combine that with

But the reason that in this case a .htaccess won't work is that they apply settings to a resources on the local file system, from a directory, and with a reverse proxy the content is retrieved from elsewhere by Apache httpd.

The solution to your actual problem, as how to apply additional access controls and IP-addresss white/blacklisting on a reverse proxy URL: You place the ProxyPass directives and additional directives in a <Location> block in your configuration (which also since Apache 2.4 happens to be the configuration syntax that offers the best performance) and add to the IP-address restriction with a Require directive to that location: 

<VirtualHost *:80> 
  ServerName demo.website.com
  ServerAlias website.com

  <Location />
    <RequireAll>
      # Block IP-addresses from the 193.37.0.0/16 and 10.9.8.0/24 networks 
      Require not ip 193.37 10.9.8
      # Allow all other IP's
      Require all granted
    </RequireAll> 
    ProxyPass http://localhost:5000/
    ProxyPassReverse http://localhost:5000/
  </Location>

</VirtualHost>
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • HBruijn, thank you for the time taken to explain everything in detail, I do appreciate your effort! I tried modifying my vhosts file as you suggest but I get Error: Apache shutdown unexpectedly error. Apache starts fine after I remove `Require not ip 193.37 10.9.8`. Any idea why this happens? Also, I edited the initial question to reflect the virtual host configuration for port 443, may I ask you to have a look? Thank you in advance! – user3132858 Sep 18 '19 at 09:14
  • you typically get more of an error in the log files indicating what the problem is, does apachectl configtest return a valid config? – HBruijn Sep 18 '19 at 09:34
  • Ah I see what the problem is, comments in apache are on a line of their own and when you copy [my original sample config](https://serverfault.com/revisions/984646/1) verbatim with the `Require settings #comment` it breaks, edited accordingly – HBruijn Sep 18 '19 at 09:38
  • Yes, that is correct. I removed the comments but apache still didn't start. So running `apachectl configtest` I get this: `negative Require directive has no effect in directive` – user3132858 Sep 18 '19 at 09:44
  • Your last edit works! Thank you for the support! May I ask you to check my second question under EDIT? I have similar problems for port 443. Again I really appreciate the time you take to help me with this! – user3132858 Sep 18 '19 at 09:52