block httpoxy recipe

Discussion in 'Tips/Tricks/Mods' started by Jesse Norell, Jul 18, 2016.

  1. Jesse Norell

    Jesse Norell Active Member

    A quick block for httpoxy (https://httpoxy.org/) using apache headers module.

    First make sure the headers module is enabled.

    Code:
    # a2enmod headers
    Module headers already enabled
    If instead that says 'Enabling module headers.' then be aware you can affect existing websites, eg. sites may have .htaccess files with Header statements that were not previously in effect. With headers module enabled, create a server-wide config file (this works on debian jessie, just adjust the conf file location for other OS):

    Code:
    # cat > /etc/apache2/conf-available/httpoxy.conf <<EOF
    # block httpoxy - https://httpoxy.org/
    <IfModule mod_headers.c>
        RequestHeader unset Proxy early
    </IfModule>
    EOF
    
    # a2enconf httpoxy
    # service apache2 reload
    
    Or if you prefer the webserver to crash if the headers module is not enabled as a failsafe, just remove the <IfModule> tags. I tested an ISPConfig box here and it was vulnerable prior to this, but not afterwards.
     
    Last edited: Jul 18, 2016
    till, Farsus and Thaddeus like this.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    For Nginx servers, use these two commands:

    Code:
    echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params
    service nginx restart
     

Share This Page