logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache reverse proxy default site
Author
dwwwc



Joined: 14 Sep 2018
Posts: 1

PostPosted: Fri 14 Sep '18 20:45    Post subject: Apache reverse proxy default site Reply with quote

Hi,

I've got an Apache reverse proxy running on Ubuntu Server 16.04 in combination with Let's Encrypt certbot. The proxy itself is configured with vhosts and pointing to some test servers which reside on my lan. Outside dns for the testservers is pointing to the proxy and the testservers are named something like this: sub1.domain.tld, sub2.domain.tld . The proxy itself doesn't have a domain.tld assigned, only an internal server name.

My reverse proxy is exposed to the internet on port 80 and 443 which is ok. When someone, like for example a hacker who just did a portscan, enters http://publicip of the proxy in a browser, the default 000-default site gets presented, which is expected and fine (I created an empty index.html). When the same hacker enters https://publicip of the proxy in a browser, Apache loads the certificate of the first correct vhost and presents that to the browser/end user (probably because it doesn't have a certificate itself). This obviously gives a certificate error to the end user since the certificate wasn't handed out for an ip but a domain. I have two problems with
Apache presenting that certificate: 1. it's messy and 2. the hacker is able to see the servername of the first correct vhost by checking the presented certificate info (even when the vhost is walled off with a location ip directive).

My question is pretty simple: how can I prevent someone with malicious intents from accessing https://publicip ?
I tried disabling the default sites with a2dissite default-ssl.conf but this gives the following behaviour:
enabled: index.html of /var/www/index.html gets loaded which is good but unwanted certificate behaviour still occurs.
disabled: index.html of the first correct vhost gets loaded and unwanted certificate behaviour also occurs.
I tried doing
Code:

RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI}
inside default-ssl.conf to redirect to http but that doesn't work either.

Note: I read somewhere that leaving 000-default.conf enabled is a good security practice and maybe I'm doing basic things wrong in general, I'm still trying to get familiar with reverse proxy.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Tue 16 Oct '18 22:38    Post subject: Reply with quote

You can't prevent that. The SSL connection and the cert is done before the connection to the vhost. Accessing by the IP can only result in a wrng cert.
Back to top


Reply to topic   Topic: Apache reverse proxy default site View previous topic :: View next topic
Post new topic   Forum Index -> Apache