Apache configured to run as proxy
Description
The Apache web server is configured to operate as a forward proxy, allowing clients to route HTTP requests through it to external destinations. Without proper access controls, this creates an open proxy that can be exploited by unauthorized users. Open proxies pose significant security risks to both the hosting organization's network infrastructure and the broader Internet community, making access restriction essential.
Remediation
Restrict proxy access to authorized clients only by implementing access controls in your Apache configuration. Use the <Proxy> directive to define which IP addresses or networks are permitted to use the proxy service.
Add the following configuration to your Apache configuration file (typically httpd.conf or apache2.conf):
<Proxy *> Order Deny,Allow Deny from all Allow from 192.168.0.0/24 Allow from 10.0.0.0/8 </Proxy>
Replace the IP ranges with your organization's trusted network addresses. For Apache 2.4 and later, use the newer access control syntax:
<Proxy *> Require ip 192.168.0.0/24 Require ip 10.0.0.0/8 </Proxy>
After making changes, validate the configuration with
apachectl configtest and restart Apache to apply the settings. If proxy functionality is not required, disable the mod_proxy module entirely by removing or commenting out the LoadModule directive for mod_proxy and related proxy modules.