#78 closed defect (fixed)
HTTP_PROXY possible security risk
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | crin1 | Version: | |
| Keywords: | Cc: | ||
| Estimated Number of Hours: | 0 | Add Hours to Ticket: | 0 |
| Billable?: | yes | Total Hours: | 0.75 |
Description
See httpoxy.
Change History (3)
comment:1 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.5
- Total Hours set to 0.5
comment:2 Changed 2 years ago by chris
- Resolution set to fixed
- Status changed from new to closed
comment:3 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.25
- Total Hours changed from 0.5 to 0.75
Testing this on Crin1, creating a https://wiki.crin.org/w/asdfagagda.php test file containing:
<?php // Show all information, defaults to INFO_ALL phpinfo(); // Show just the module information. // phpinfo(8) yields identical results. //phpinfo(INFO_MODULES); ?>
And using the Firefox Modify Headers and livehttpheaders add ons to test:
https://wiki.crin.org/w/asdfagagda.php GET /w/asdfagagda.php HTTP/1.1 Host: wiki.crin.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Proxy: http://foo.bar/ Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 19 Jul 2016 12:15:34 GMT Server: Apache/2.4.10 (Debian) Strict-Transport-Security: max-age=31536000 X-Frame-Options: sameorigin Vary: Host,Accept-Encoding Content-Encoding: gzip Content-Length: 27158 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 ----------------------------------------------------------
And the HTTP_PROXY env var isn't set, so that worked, deleting the asdfagagda.php file.
Testing on Crin4 (on the basis that if it is fixed here it'll be fixed on the live server), created /var/www/dev/docroot/asgaadgagad.php and testing it via https://dev.crin.org/asgaadgagad.php and the HTTP_PROXY env var isn't set, so the fix works:
https://dev.crin.org/asgaadgagad.php GET /asgaadgagad.php HTTP/1.1 Host: dev.crin.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Proxy: http://foo.bar/ Connection: keep-alive HTTP/1.1 200 OK Server: nginx/1.6.2 Date: Tue, 19 Jul 2016 12:22:28 GMT Content-Type: text/html; charset=UTF-8 php-cache: HIT Content-Encoding: gzip X-Firefox-Spdy: 3.1 ----------------------------------------------------------
Note: See
TracTickets for help on using
tickets.
For Apache we need to unset any incoming PROXY headers:
For the Nginx reverse proxy to php5-fpm this needs adding to remove the PROXY header from incoming HTTP requests:
So on Crin1, which is running Apache, the following was added to all the VirtualHosts:
<IfModule headers_module> # https://httpoxy.org/ RequestHeader unset Proxy early </IfModule>On Crin2 every section of Nginx configuration which passes requests to php5-fpm and or Tomcat had the following added:
On Crin4 the same was done as for Crin2 but also this was added for the dev site proxy to the live site for media files: