[Thread Prev][Thread Next][Index]

LAS proxy security issue

Greetings LAS installers,

We recently had someone using our web server to send out zillions of spam email messages.  They were able to do this because we had 'forward proxying' turned on in Apache.  This enabling of forward proxying was actually recommended by us in an old las_users email:
This turns out to be a major security no-no and is not at all required for LAS.

For LAS it is often useful to use 'reverse proxying' to let users use nice URLS like:
instead of ugly ones like
If you have the Apache proxy module turned on you can accomplish this with following lines in your httpd.conf file:

    ProxyPass /WEATHER/ http://localhost:8080/WEATHER/
    ProxyPassReverse /WEATHER/ http://localhost:8080/WEATHER/

    RedirectPermanent /weather http://your.domain.name/WEATHER/servlets/dataset

But you don't need to enable forward proxying for this to work.  The following excerpts from our httpd.conf file show what is required to do this kind of proxying:
LoadModule proxy_module       /usr/lib/apache/libproxy.so
AddModule mod_proxy.c
# ProxyRequests On
This last line is the important one -- don't turn on ProxyRequests!

Here is a little clarification from the Apache documentation:
The forward proxy is activated using the ProxyRequests directive. Because forward proxys allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.

reverse proxy, by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.

If you turn on ProxyRequests and " Allow from all" your are basically saying that anyone who wants to can do whatever mischief they want and pin the blame on your computer.  So please have a look at your httpd.conf file and comment out the ProxyRequets line.  We don't want LAS to get blamed for unnecessary security loopholes..

-- Jon

[Thread Prev][Thread Next][Index]

Dept of Commerce / NOAA / OAR / PMEL / TMAP
Contact Us | Privacy Policy | Disclaimer | Accessibility Statement