Apache Proxy HTTP CONNECT method enabled
Description
The Apache web server is configured to operate as an open proxy server with the HTTP CONNECT method enabled. This configuration allows external clients to establish tunneled connections through the server to arbitrary destinations. Without proper access controls, attackers can abuse this functionality to relay traffic through your infrastructure, potentially bypassing network security controls, obscuring the source of malicious activity, or accessing internal network resources that should not be publicly accessible.
Remediation
Restrict access to the proxy functionality by implementing access controls using Apache's <Proxy> directive. Configure the proxy to only accept connections from trusted IP addresses or networks. If proxy functionality is not required, disable it entirely by removing or commenting out the proxy modules.
To restrict access by IP address, add the following configuration to your Apache configuration file (httpd.conf or within a VirtualHost block):
<Proxy *> Order Deny,Allow Deny from all Allow from 192.168.0.0/24 Allow from 10.0.0.0/8 </Proxy>For Apache 2.4 and later, use the updated access control syntax:
<Proxy *> Require ip 192.168.0.0/24 Require ip 10.0.0.0/8 </Proxy>If proxy functionality is not needed, disable the proxy modules entirely:
# Comment out or remove these lines: # LoadModule proxy_module modules/mod_proxy.so # LoadModule proxy_connect_module modules/mod_proxy_connect.soAfter making changes, validate the configuration with
apachectl configtest and restart Apache to apply the changes.