HTTPOXY Vulnerability: How to protect and test your web server

The HTTPOXY vulnerability which has been found recently is a vulnerability that affects applications that run in cgi or cgi-like environments. This means that the issue affects almost all web servers including Apache and Nginx and also most PHP applications. Even the mod_php mode on apache is affected.

This tutorial will show you how to protect your web server from HTTPOXY. It contains sections for the most used Linux Distributions CentOS + RHEL, Debian, and Ubuntu. The steps can be applied to other Linux distributions as well, but the paths to the configuration files might differ.

A detailed description of the HTTPOXY vulnerability can be found on this website https://httpoxy.org/.

The steps described in this tutorial are compatible with the ISPConfig perfect server tutorials.

1 How does HTTPOXY affect my server?

HTTPOXY affects clients that honor the HTTP_PROXY variable and use it for their proxy configuration and server side applications which use HTTP_PROXY as real or emulated variable in their environment. The result of an attack can be traffic that gets proxied by the web application to a target system chosen by the attacker or the application opens outgoing connections to other systems. The vulnerability is easily remotely exploitable and servers can be scanned for it, so it is highly recommended to take actions to close it on your server.

1.1 General solution

The recommended solution at the moment is to unset or filter the HTTP_PROXY header variable. This is done in apache with the mod_headers module and this configuration statement:

RequestHeader unset Proxy early

On Nginx you can use this line to unset the HTTP_PROXY variable.

fastcgi_param HTTP_PROXY "";

The next chapter describes the detailed procedure for different Linux Distributions.

2 Debian

This chapter describes the configuration to protect Apache and Nginx on Debian 8 (Jessie) and Debian 7 (Wheezy) servers against HTTPOXY. The next steps assume that you are logged in as root user on the shell. If you are logged in under a different user, then use the su command (or sudo if you configured sudo) to become the root user.

2.2 Debian 8 (Jessie) with Apache

Enable the apache headers module

a2enmod headers

Add a global configuration file /etc/apache2/conf-available/httpoxy.conf. I will use the nano editor here:

nano /etc/apache2/conf-available/httpoxy.conf

and paste the following content to that file:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

Save the file. Then enable it in the configuration with the a2enconf command and restart apache.

a2enconf httpoxy
service apache2 restart

2.2 Debian 7 (Wheezy) with Apache

Enable the apache headers module:

a2enmod headers

Add a global configuration file /etc/apache2/conf.d/httpoxy.conf. I will use the nano editor here:

nano /etc/apache2/conf.d/httpoxy.conf

and paste the following content to that file:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

Save the file. Then restart apache.

service apache2 restart

2.3 Debian with Nginx

The following command will add a fastcgi_param that sets the HTTP_PROXY variable to an empty string to the /etc/nginx/fastcgi_params file.

echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params

Then restart nginx to apply the configuration change.

service nginx restart

3 Ubuntu

This chapter describes the configuration to protect Apache and Nginx on Ubuntu 14.04 - 16.04 servers against HTTPOXY.

3.1 Ubuntu with Apache

Enable the apache headers module.

sudo a2enmod headers

Add a global configuration file /etc/apache2/conf-available/httpoxy.conf. I will use the nano editor here:

sudo nano /etc/apache2/conf-available/httpoxy.conf

and paste the following content to that file:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

Save the file. Then enable it in the configuration with the a2enconf command and restart apache.

sudo a2enconf httpoxy
sudo service apache2 restart

3.2 Ubuntu with Nginx

The steps to protect Ubuntu against HTTPOXY are similar to the ones for Debian. We just have to ensure to run the commands with sudo. This echo command will add a fastcgi_param line that sets the HTTP_PROXY variable as an empty string. The file /etc/nginx/fastcgi_params is included into the default @PHP and cgi-bin sections of the nginx vhost files and also in vhosts that get created by ISPConfig. If you added custom vhosts, then checj that they contain "include /etc/nginx/fastcgi_params;" in the config sections for php and other cgi or fastcgi connectors.

Run the following command to add the empty HTTP_PROXY variable.

sudo echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params

Then restart Nginx to apply the configuration change.

sudo service nginx restart

4 CentOS, RHEL and Fedora

This chapter describes the configuration to protect Apache and Nginx on CentOS servers against HTTPOXY. The same steps should work for Fedora servers as well. Login as root user on the shell before you proceed with the commands below.

4.1 Apache

The Apache (httpd) configuration file on CentOS is /etc/httpd/conf/httpd.conf. I will add the apache header rule at the end of the httpd.conf file with this command:

echo "RequestHeader unset Proxy early" >> /etc/httpd/conf/httpd.conf

Then restart httpd to apply the configuration change.

service httpd restart

4.2 Nginx

The Nginx web server on CentOS includes the fastcgi_params into the PHP and CGI section of the default vhost, so we can add the rule to set the empty HTTP_PROXY variable there. Run this command to add the empty HTTP_PROXY variable.

echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params

Then restart nginx to apply the configuration change.

service nginx restart

5 Test

Finally, you should test if your server is safe now. Luke Rehman has developed a nice online testing tool which can be found here: https://httpoxy.rehmann.co/

Enter the URL to your server or website in the tool and click on the "test" button.

HTTPOXY Test

Here is the result for howtoforge.com. As you can see, our website is safe.

Share this page:

6 Comment(s)

Add comment

Comments

From: Daniel Sommer at: 2016-07-20 15:20:22

AFAIK, the main config file for httpd under CentOS/Fedora is /etc/httpd/conf/httpd.conf (so, the "conf" subdirectory seems to be missing in the HowTo)

From: hsluis at: 2016-07-23 02:11:22

Hello Till, thanks for the information and help to get protected.This volnerability only work if you are using apache proxy, not habilitated by default, right?I test my server and get "The service has queried www.xxx.dot using httpoxy headers, but received no http_proxy request". I'm not using apache proxy. Do you think it is necesary anyway make the fix? Thanks!

From: till at: 2016-07-23 08:05:56

The vulnerability affects not only apache proxy, it affects also PHP, perl and other server side scripting languages a script written in that language is vulnerable, so I recommend to apply the fix. At least it should not hurt to do it.

From: hsluis at: 2016-07-24 02:05:53

Thanks Till!

From: hsluis at: 2016-07-24 02:06:44

Thanks Till.

From: Enzo2424 at: 2016-09-05 13:06:10

Thank you for this info. Done on my ubuntu server. Great job ! :)