Risk of using Apache mod_proxy
https://stackoverflow.com/questions/820310
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am now exploring to use Apache's mod_proxy's directive, eg ProxyPass, as part of solution for cross-domain scripting restriction (for html/ajax/flash code). However, I am afraid by enabling mod_proxy, I would risk having the server as open proxy.
What's the risk, and how to minimize the risk, in short?
Thanks.
Solution
Since you specifically mentioned ProxyPass, I'll assume you're using mod_proxy as a reverse proxy.
If that's the case, just make sure ProxyRequests is off. It isn't needed for reverse proxies.
In a forward proxy configuration, if you were to enable ProxyRequests without setting access restrictions (i.e., which hosts/networks are allowed to use the proxy) you could very easily wind up with an open proxy.
See the mod_proxy documentation for more info.
OTHER TIPS
Just make sure to set ProxyRequests to Off:
This prevents Apache from acting as a forward proxy server (which is where the concern about an open proxy comes in), but does not affect its use as a reverse proxy using ProxyPass
