Join Log in
Score:0
Yogesh Prajapati avatar Server

apache server not responding due to HTTP CONNECT requests how to block them?

gu flag
Yogesh Prajapati

Apache server is getting this kind of traffic. Due to that server is not responding. Please suggest how can we handle this issue.

78.135.85.252 - - [07/May/2023:16:08:33 +0000] "\x16\x03\x01" 400 492 "-" "-"
3.88.173.121 - - [07/May/2023:16:08:34 +0000] "CONNECT 92.53.96.128:443 HTTP/1.1" 200 148 "-" "-"
3.88.173.121 - - [07/May/2023:16:08:34 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
78.135.85.252 - - [07/May/2023:16:08:36 +0000] "CONNECT m.113kp.com:443 HTTP/1.1" 200 204 "-" "-"
78.135.85.252 - - [07/May/2023:16:08:36 +0000] "\x16\x03\x01" 400 492 "-" "-"
54.209.41.100 - - [07/May/2023:16:08:36 +0000] "CONNECT 185.215.4.15:443 HTTP/1.1" 200 148 "-" "-"
54.209.41.100 - - [07/May/2023:16:08:37 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
66.36.234.118 - - [07/May/2023:16:08:41 +0000] "CONNECT httpbin.org:443 HTTP/1.1" 200 167 "-" "-"
3.88.173.121 - - [07/May/2023:16:08:41 +0000] "CONNECT 92.53.96.128:443 HTTP/1.1" 200 148 "-" "-"
3.88.173.121 - - [07/May/2023:16:08:42 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
163.172.40.251 - - [07/May/2023:16:08:46 +0000] "GET http://example.com/ HTTP/1.1" 200 148 "-" "Go-http-client/1.1"
78.135.85.252 - - [07/May/2023:16:09:02 +0000] "CONNECT m.113kp.com:443 HTTP/1.1" 200 204 "-" "-"
78.135.85.252 - - [07/May/2023:16:09:02 +0000] "\x16\x03\x01" 400 492 "-" "-"
13.86.22.96 - - [07/May/2023:16:09:06 +0000] "CONNECT api.ipify.org:443 HTTP/1.1" 200 148 "-" "Go-http-client/1.1"
13.86.22.96 - - [07/May/2023:16:09:06 +0000] "\x16\x03\x01\x01\x12\x01" 400 492 "-" "-"
78.135.85.252 - - [07/May/2023:16:09:23 +0000] "CONNECT m.113kp.com:443 HTTP/1.1" 200 204 "-" "-"
78.135.85.252 - - [07/May/2023:16:09:23 +0000] "\x16\x03\x01" 400 492 "-" "-"
5.255.110.95 - - [07/May/2023:16:09:32 +0000] "GET http://azenv.net/ HTTP/1.1" 200 148 "-" "Go-http-client/1.1"
91.151.89.197 - - [07/May/2023:16:09:35 +0000] "CONNECT m.113kp.com:443 HTTP/1.1" 200 204 "-" "-"
91.151.89.197 - - [07/May/2023:16:09:35 +0000] "\x16\x03\x01" 400 492 "-" "-"
54.209.41.100 - - [07/May/2023:16:09:41 +0000] "CONNECT 185.215.4.15:443 HTTP/1.1" 200 148 "-" "-"
54.209.41.100 - - [07/May/2023:16:09:41 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
185.225.113.83 - - [07/May/2023:16:09:47 +0000] "CONNECT api.ipify.org:443 HTTP/1.1" 200 148 "-" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"
185.225.113.83 - - [07/May/2023:16:09:47 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
54.209.41.100 - - [07/May/2023:16:09:59 +0000] "CONNECT 185.215.4.15:443 HTTP/1.1" 200 148 "-" "-"
54.209.41.100 - - [07/May/2023:16:10:01 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
67.205.154.166 - - [07/May/2023:16:10:04 +0000] "CONNECT ext2-sea1.steamserver.net:27019 HTTP/1.1" 200 148 "-" "Valve/Steam HTTP Client 1.0"
67.205.154.166 - - [07/May/2023:16:10:04 +0000] "\x16\x03\x01\x01\xa0\x01" 400 492 "-" "-"
5.255.110.95 - - [07/May/2023:16:10:17 +0000] "GET http://azenv.net/ HTTP/1.1" 200 148 "-" "Go-http-client/1.1"
45.12.112.162 - - [07/May/2023:16:10:18 +0000] "GET http://azenv.net/ HTTP/1.1" 200 167 "-" "Go-http-client/1.1"
3.88.173.121 - - [07/May/2023:16:10:20 +0000] "CONNECT 92.53.96.128:443 HTTP/1.1" 200 148 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:21 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
162.158.62.204 - - [07/May/2023:16:10:24 +0000] "GET /privacypolicy.html HTTP/1.1" 404 501 "-" "PlayStore-Google"
54.209.41.100 - - [07/May/2023:16:10:25 +0000] "CONNECT 185.215.4.15:443 HTTP/1.1" 200 148 "-" "-"
54.209.41.100 - - [07/May/2023:16:10:26 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:36 +0000] "CONNECT 92.53.96.128:443 HTTP/1.1" 200 148 "-" "-"
78.135.85.252 - - [07/May/2023:16:10:39 +0000] "CONNECT m.113kp.com:443 HTTP/1.1" 200 204 "-" "-"
78.135.85.252 - - [07/May/2023:16:10:40 +0000] "\x16\x03\x01" 400 492 "-" "-"
54.209.41.100 - - [07/May/2023:16:10:41 +0000] "CONNECT 185.215.4.15:443 HTTP/1.1" 200 148 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:41 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
54.209.41.100 - - [07/May/2023:16:10:44 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:55 +0000] "CONNECT 92.53.96.128:443 HTTP/1.1" 200 148 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:55 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:58 +0000] "CONNECT 92.53.96.128:443 HTTP/1.1" 200 148 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:58 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
3.88.173.121 - - [07/May/2023:16:10:59 +0000] "CONNECT 92.53.96.128:443 HTTP/1.1" 200 148 "-" "-"
54.209.41.100 - - [07/May/2023:16:11:00 +0000] "CONNECT 185.215.4.15:443 HTTP/1.1" 200 148 "-" "-"
54.209.41.100 - - [07/May/2023:16:11:01 +0000] "\x16\x03\x01\x02" 400 492 "-" "-"
70.34.201.180 - - [07/May/2023:16:11:01 +0000] "CONNECT ip-api.com:80 HTTP/1.1" 200 148 "-" "Python/3.11 python-socks/2.2.0"
70.34.201.180 - - [07/May/2023:16:11:02 +0000] "GET /json/?fields=8217 HTTP/1.1" 404 433 "-" "Mozilla/5.0 (Windows NT 10.0; rv:112.0) Gecko/20100101 Firefox/112.0"
139
2 + 0
Score:1
HBruijn avatar Server
in flag
HBruijn

When a webserver logs (many) successful CONNECT requests (as evidenced by the 200 HTTP success codes) the web server is being used as a forward proxy.

When those requests do not originate exclusively from your own network your forward proxy is not (properly) secured with access restrictions. That is typically called an "open proxy".

Random clients on the internet can use an open proxy and your server to hide their own IP-address.

That can be intentional, by design and philosophy, for example to provide online anonymity and allow people to circumvent online censorship.

A big problem is that many open proxies (only) get used for abuse and nefarious purposes.

Typically an open proxy is the result of a misconfiguration though.

Fairly typical cause is novice administrators using the incorrect ProxyRequests directive rather than (only) a ProxyPass to configure Apache httpd as a reverse proxy.

  • Apache httpd should always be configured with ProxyRequests Off
  • A Reverse Proxy gets configured with a ProxyPass directive and does NOT need ProxyRequests on
  • When you do need a forward proxy, use one of the many dedicated proxy servers rather than your web server IMHO.
  • If you still want to use Apache httpd as forward proxy, secure your configuration and limit access to only authorised clients.
+ 0
Score:0
Romeo Ninov avatar Server
in flag
Romeo Ninov

Your site is used as proxy via CONNECT method.

One possible way to mitigate is to disable CONNECT method as it is described here.

LoadModule rewrite_module path/to/apache/modules/mod_rewrite.so

To enable the rewrite engine, add the following:

RewriteEngine On

Please note that by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host. The Disable HTTP Methods Rewrite Rule

Since we are looking to disable specific http methods in this HOWTO, our rewrite rule has two components: a condition and the rule to be applied when that condition is met. In this HOWTO, my example rule will disable both HTTP TRACE and HTTP TRACK requests, (even though TRACK isn't supported by Apache) as well as HTTP OPTIONS requests, (even though disabling HTTP OPTIONS isn't necessarily a best practice). Below is the rule:

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]

+ 2
vidarlo avatar
ar flag
vidarlo
I would rather attempt to figure out *why* Apache is running as an open proxy in the first place: That's not the default configuration. Blocking via mod_rewrite is a *poor* practice.
1
Reply
Romeo Ninov avatar
in flag
Romeo Ninov
@vidarlo, true about open proxy. About disable CONNECT - sure, there are probably other methods, this is the first I find.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.