| Author |
|
mario198787
Joined: 05 Jun 2021
Posts: 6
|
 Posted: Sat 05 Jun '21 20:38 Post subject: Apache reverse proxy |
 |
|
Hello,
I try to configure my Apache with modsec as a reverse proxy. Thus, I added in a | Code: | | /etc/apache2/sites-available/000-default.conf |
such lines:
| Code: |
ProxyPreserveHost On
ProxyPass / http://192.168.1.2
ProxyPassReverse / http://192.168.1.2
|
And finally, when I restarted the Apache service, I got an error:
| Code: | root@ubun2004:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Restarting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.
failed!
root@ubun2004:/etc/apache2/sites-available# nano 000-default.conf
root@ubun2004:/etc/apache2/sites-available# nano 000-default.conf
root@ubun2004:/etc/apache2/sites-available# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor pres>
Active: failed (Result: exit-code) since Sat 2021-06-05 14:27:33 EDT; 7mi>
Docs: https://httpd.apache.org/docs/2.4/
Process: 3250 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/F>
Jun 05 14:27:32 ubun2004 systemd[1]: Starting The Apache HTTP Server...
Jun 05 14:27:33 ubun2004 apachectl[3271]: AH00526: Syntax error on line 29 of >
Jun 05 14:27:33 ubun2004 apachectl[3271]: Invalid command 'ProxyPreserveHost',>
Jun 05 14:27:33 ubun2004 apachectl[3250]: Action 'start' failed.
Jun 05 14:27:33 ubun2004 apachectl[3250]: The Apache error log may have more i>
Jun 05 14:27:33 ubun2004 systemd[1]: apache2.service: Control process exited, >
Jun 05 14:27:33 ubun2004 systemd[1]: apache2.service: Failed with result 'exit>
Jun 05 14:27:33 ubun2004 systemd[1]: Failed to start The Apache HTTP Server.
root@ubun2004:/etc/apache2/sites-available# ^C
root@ubun2004:/etc/apache2/sites-available# journalctl -xe
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:29 ubun2004 systemd[1]: fprintd.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit fprintd.service has successfully entered the 'dead' state.
Jun 05 14:34:29 ubun2004 systemd[1]: Started Run anacron jobs.
-- Subject: A start job for unit anacron.service has finished successfully
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- A start job for unit anacron.service has finished successfully.
--
-- The job identifier is 3029.
Jun 05 14:34:29 ubun2004 anacron[3404]: Anacron 2.3 started on 2021-06-05
Jun 05 14:34:29 ubun2004 anacron[3404]: Normal exit (0 jobs run)
Jun 05 14:34:29 ubun2004 systemd[1]: anacron.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit anacron.service has successfully entered the 'dead' state. |
I do not know what is wrong... |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 152
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Sun 06 Jun '21 4:03 Post subject: |
|
|
Good morning,
do you have added/enabled the Apache-modules mod_proxy.so + mod_proxy_http.so ?
Depending on your Linux-distribution it is uncommenting two lines in a config-file or using the command a2enmod (with sudo/as root)
Best regards
Matthias  |
|
| Back to top |
|
mario198787
Joined: 05 Jun 2021
Posts: 6
|
| Posted: Sun 06 Jun '21 16:58 Post subject: |
|
|
I have added modules and still nothing. Maybe I give more details (maybe sth is wrong). I have such a configuration:
[img] https://ibb.co/tmQQqZM [/img]
PC1:
| Code: |
ifconfig eth0 192.168.0.1 netmask 255.255.255.0
route add default gw 192.168.0.2
|
PC2 (Apache + modsec):
| Code: |
ifconfig ens33 192.168.0.2 netmask 255.255.255.0
ifconfig ens37 192.168.1.2 netmask 255.255.255.0
|
PC3 (Apache):
| Code: |
ifconfig ens33 192.168.1.1 netmask 255.255.255.0
route add default gw 192.168.1.2
|
And with this config from 192.168.0.1 both ping to 192.168.1.1 and in the browser HTTP://192.168.1.1/index.html work.
In PC2 in I have added modules associated with a proxy and /etc/apache2/sites-available/000-default.conf contains:
| Code: |
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
</VirtualHost>
|
And when in the browser on PC1 I put URL | Code: | | http://192.168.1.1/index.html?exec=/bin/bash |
in a file | Code: | | /var/log/apache2/error.log |
there are no logs about the attack. But when in the browser on PC1 I put URL | Code: | | http://192.168.0.2/index.html?exec=/bin/bash |
in a file | Code: | | /var/log/apache2/error.log |
the attack was detected (of course in this case attack was performed on a different Apache server). Why the reverse proxy does not work?[/code] |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Sun 06 Jun '21 19:44 Post subject: |
|
|
Maybe I'm missing something, but when you say on PC1 you put the following in a browser:
http://192.168.1.1/index.html?exec=/bin/bash you see nothing in the error.log file on PC2; why would you?
PC1 is accessing PC3 directly at the network level, and not going through your Apache proxy on PC2.
Presumably, the following URL request from PC1 also logs errors on PC2?
http://192.168.1.2/index.html?exec=/bin/bash If your intention is to hide the server on PC3, and proxy web requests through PC2, then you'll need to disable IPV4 forwarding on PC2, e.g.
| Code: | | # sysctl -w net.ipv4.ip_forward=0 |
or if you need to keep network connectivity through to PC3 from PC1 via PC2, you'll need to restrict Apache on PC3 to only accept connections from PC2. |
|
| Back to top |
|
mario198787
Joined: 05 Jun 2021
Posts: 6
|
| Posted: Sun 06 Jun '21 21:05 Post subject: |
|
|
So,run command | Code: | | sysctl -w net.ipv4.ip_forward=0 |
and from PC1 I can access this URL | Code: | | http://192.168.1.2/index.html?exec=/bin/bash |
and get logs error. But when I change URL to | Code: | | http://192.168.1.1/index.html?exec=/bin/bash |
I get timeout error. |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Sun 06 Jun '21 22:34 Post subject: |
|
|
Indeed, I'd expect you now get a timeout trying to access PC3 (192.168.1.1) from PC1 (192.168.0.1). That sysctl command has revoked IP forwarding from PC2.
With PC2 (192.168.0.2) acting as your reverse proxy, web requests from PC1 (or other clients on the 192.168.0.0 network) should be passed to the Apache server on PC3, and your mod_sec rules should be carried out as part of that process.
Based on your posts, isn't this what you were trying to achieve?
Note, I wouldn't expect clients to access PC2 via the 192.168.1.1 interface, and if that's important to you, you'll need to update the Apache configuration on PC2 to only listen on the 192.168.0.2 interface. |
|
| Back to top |
|
mario198787
Joined: 05 Jun 2021
Posts: 6
|
| Posted: Sun 06 Jun '21 23:23 Post subject: |
|
|
| Generally, my goal is to on PC2 security issue when I try to from PC1 open the page hosted on PC3. Now I cannot do this because of timeout. You have written that I should reconfigure Apache on PC2 to only listen on the 192.168.0.2 interface. To be honest, I don't quite understand. PC3 can be accessible via 192.168.1.2 which is an interface of PC2. |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Mon 07 Jun '21 0:08 Post subject: |
|
|
If you're confused, then I have to confess to being even more so.
Yes, PC2 needs both interfaces, but if you're using PC2 to act as a reverse proxy to filter web requests through to PC3, then why would you want to access PC3 directly from PC1?
To me the timeout from PC1 (192.168.0.1) going directly to PC3 (192.168.1.1) is confirmation the client has to go through the Apache reverse proxy at PC2 (192.168.0.2).
I thought that was your objective. |
|
| Back to top |
|
mario198787
Joined: 05 Jun 2021
Posts: 6
|
| Posted: Mon 07 Jun '21 8:59 Post subject: |
|
|
| OK. So, my intention is that PC1 should connect (on the HTTP level) with PC3 via PC2 (through reverse proxy with modsec) and get a response from PC3 (get a page in the browser, not a timeout). And as I understand you, it works like that now (timeout reason). |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg
|
| Posted: Mon 07 Jun '21 22:41 Post subject: |
|
|
The default gateway might be the issue.
| Code: | | route add default gw 192.168.0.2 |
I would except here a router / network switch, not the second computer.
Also did you solve errors?
| Code: |
Jun 05 14:27:33 ubun2004 apachectl[3271]: AH00526: Syntax error on line 29 of >
Jun 05 14:27:33 ubun2004 apachectl[3271]: Invalid command 'ProxyPreserveHost',>
|
|
|
| Back to top |
|
mario198787
Joined: 05 Jun 2021
Posts: 6
|
| Posted: Thu 10 Jun '21 23:34 Post subject: |
|
|
| Why do you think that default gateway is a problem? Without it, I haven't got a connection with network 192.128.1.0. |
|
| Back to top |
|
