logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.


Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache reverse proxy
Author
mario198787



Joined: 05 Jun 2021
Posts: 6

PostPosted: Sat 05 Jun '21 20:38    Post subject: Apache reverse proxy Reply with quote

Hello,

I try to configure my Apache with modsec as a reverse proxy. Thus, I added in a
Code:
/etc/apache2/sites-available/000-default.conf
such lines:
Code:

ProxyPreserveHost On
ProxyPass /  http://192.168.1.2
ProxyPassReverse /  http://192.168.1.2

And finally, when I restarted the Apache service, I got an error:
Code:
root@ubun2004:/etc/apache2/sites-available# /etc/init.d/apache2 restart
Restarting apache2 (via systemctl): apache2.serviceJob for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.
 failed!
root@ubun2004:/etc/apache2/sites-available# nano 000-default.conf
root@ubun2004:/etc/apache2/sites-available# nano 000-default.conf
root@ubun2004:/etc/apache2/sites-available# systemctl status apache2.service
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor pres>
     Active: failed (Result: exit-code) since Sat 2021-06-05 14:27:33 EDT; 7mi>
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 3250 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/F>

Jun 05 14:27:32 ubun2004 systemd[1]: Starting The Apache HTTP Server...
Jun 05 14:27:33 ubun2004 apachectl[3271]: AH00526: Syntax error on line 29 of >
Jun 05 14:27:33 ubun2004 apachectl[3271]: Invalid command 'ProxyPreserveHost',>
Jun 05 14:27:33 ubun2004 apachectl[3250]: Action 'start' failed.
Jun 05 14:27:33 ubun2004 apachectl[3250]: The Apache error log may have more i>
Jun 05 14:27:33 ubun2004 systemd[1]: apache2.service: Control process exited, >
Jun 05 14:27:33 ubun2004 systemd[1]: apache2.service: Failed with result 'exit>
Jun 05 14:27:33 ubun2004 systemd[1]: Failed to start The Apache HTTP Server.

root@ubun2004:/etc/apache2/sites-available# ^C
root@ubun2004:/etc/apache2/sites-available# journalctl -xe
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:06 ubun2004 gnome-shell[1935]: Window manager warning: Overwritin>
Jun 05 14:33:29 ubun2004 systemd[1]: fprintd.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit fprintd.service has successfully entered the 'dead' state.
Jun 05 14:34:29 ubun2004 systemd[1]: Started Run anacron jobs.
-- Subject: A start job for unit anacron.service has finished successfully
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- A start job for unit anacron.service has finished successfully.
--
-- The job identifier is 3029.
Jun 05 14:34:29 ubun2004 anacron[3404]: Anacron 2.3 started on 2021-06-05
Jun 05 14:34:29 ubun2004 anacron[3404]: Normal exit (0 jobs run)
Jun 05 14:34:29 ubun2004 systemd[1]: anacron.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- The unit anacron.service has successfully entered the 'dead' state.


I do not know what is wrong...
Back to top
mraddi



Joined: 27 Jun 2016
Posts: 132
Location: Schömberg, Baden-Württemberg, Germany

PostPosted: Sun 06 Jun '21 4:03    Post subject: Reply with quote

Good morning,

do you have added/enabled the Apache-modules mod_proxy.so + mod_proxy_http.so ?
Depending on your Linux-distribution it is uncommenting two lines in a config-file or using the command a2enmod (with sudo/as root)

Best regards
Matthias Smile
Back to top
mario198787



Joined: 05 Jun 2021
Posts: 6

PostPosted: Sun 06 Jun '21 16:58    Post subject: Reply with quote

I have added modules and still nothing. Maybe I give more details (maybe sth is wrong). I have such a configuration:
[img] https://ibb.co/tmQQqZM [/img]

PC1:
Code:

ifconfig eth0 192.168.0.1 netmask 255.255.255.0
route add default gw 192.168.0.2

PC2 (Apache + modsec):
Code:

ifconfig ens33 192.168.0.2 netmask 255.255.255.0
ifconfig ens37 192.168.1.2 netmask 255.255.255.0

PC3 (Apache):
Code:

ifconfig ens33 192.168.1.1 netmask 255.255.255.0
route add default gw 192.168.1.2

And with this config from 192.168.0.1 both ping to 192.168.1.1 and in the browser HTTP://192.168.1.1/index.html work.

In PC2 in I have added modules associated with a proxy and /etc/apache2/sites-available/000-default.conf contains:
Code:

<VirtualHost *:80>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        ProxyPreserveHost On
        ProxyPass / http://192.168.1.1/
        ProxyPassReverse / http://192.168.1.1/
</VirtualHost>



And when in the browser on PC1 I put URL
Code:
http://192.168.1.1/index.html?exec=/bin/bash
in a file
Code:
/var/log/apache2/error.log
there are no logs about the attack. But when in the browser on PC1 I put URL
Code:
http://192.168.0.2/index.html?exec=/bin/bash
in a file
Code:
/var/log/apache2/error.log
the attack was detected (of course in this case attack was performed on a different Apache server). Why the reverse proxy does not work?[/code]
Back to top
tangent



Joined: 16 Aug 2020
Posts: 124
Location: UK

PostPosted: Sun 06 Jun '21 19:44    Post subject: Reply with quote

Maybe I'm missing something, but when you say on PC1 you put the following in a browser:
    http://192.168.1.1/index.html?exec=/bin/bash
you see nothing in the error.log file on PC2; why would you?

PC1 is accessing PC3 directly at the network level, and not going through your Apache proxy on PC2.

Presumably, the following URL request from PC1 also logs errors on PC2?
    http://192.168.1.2/index.html?exec=/bin/bash
If your intention is to hide the server on PC3, and proxy web requests through PC2, then you'll need to disable IPV4 forwarding on PC2, e.g.
Code:
# sysctl -w net.ipv4.ip_forward=0

or if you need to keep network connectivity through to PC3 from PC1 via PC2, you'll need to restrict Apache on PC3 to only accept connections from PC2.
Back to top
mario198787



Joined: 05 Jun 2021
Posts: 6

PostPosted: Sun 06 Jun '21 21:05    Post subject: Reply with quote

So,run command
Code:
sysctl -w net.ipv4.ip_forward=0
and from PC1 I can access this URL
Code:
http://192.168.1.2/index.html?exec=/bin/bash
and get logs error. But when I change URL to
Code:
 http://192.168.1.1/index.html?exec=/bin/bash
I get timeout error.
Back to top
tangent



Joined: 16 Aug 2020
Posts: 124
Location: UK

PostPosted: Sun 06 Jun '21 22:34    Post subject: Reply with quote

Indeed, I'd expect you now get a timeout trying to access PC3 (192.168.1.1) from PC1 (192.168.0.1). That sysctl command has revoked IP forwarding from PC2.

With PC2 (192.168.0.2) acting as your reverse proxy, web requests from PC1 (or other clients on the 192.168.0.0 network) should be passed to the Apache server on PC3, and your mod_sec rules should be carried out as part of that process.

Based on your posts, isn't this what you were trying to achieve?

Note, I wouldn't expect clients to access PC2 via the 192.168.1.1 interface, and if that's important to you, you'll need to update the Apache configuration on PC2 to only listen on the 192.168.0.2 interface.
Back to top
mario198787



Joined: 05 Jun 2021
Posts: 6

PostPosted: Sun 06 Jun '21 23:23    Post subject: Reply with quote

Generally, my goal is to on PC2 security issue when I try to from PC1 open the page hosted on PC3. Now I cannot do this because of timeout. You have written that I should reconfigure Apache on PC2 to only listen on the 192.168.0.2 interface. To be honest, I don't quite understand. PC3 can be accessible via 192.168.1.2 which is an interface of PC2.
Back to top
tangent



Joined: 16 Aug 2020
Posts: 124
Location: UK

PostPosted: Mon 07 Jun '21 0:08    Post subject: Reply with quote

If you're confused, then I have to confess to being even more so.

Yes, PC2 needs both interfaces, but if you're using PC2 to act as a reverse proxy to filter web requests through to PC3, then why would you want to access PC3 directly from PC1?

To me the timeout from PC1 (192.168.0.1) going directly to PC3 (192.168.1.1) is confirmation the client has to go through the Apache reverse proxy at PC2 (192.168.0.2).

I thought that was your objective.
Back to top
mario198787



Joined: 05 Jun 2021
Posts: 6

PostPosted: Mon 07 Jun '21 8:59    Post subject: Reply with quote

OK. So, my intention is that PC1 should connect (on the HTTP level) with PC3 via PC2 (through reverse proxy with modsec) and get a response from PC3 (get a page in the browser, not a timeout). And as I understand you, it works like that now (timeout reason).
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6998
Location: Germany, Next to Hamburg

PostPosted: Mon 07 Jun '21 22:41    Post subject: Reply with quote

The default gateway might be the issue.

Code:
route add default gw 192.168.0.2


I would except here a router / network switch, not the second computer.

Also did you solve errors?

Code:

Jun 05 14:27:33 ubun2004 apachectl[3271]: AH00526: Syntax error on line 29 of >
Jun 05 14:27:33 ubun2004 apachectl[3271]: Invalid command 'ProxyPreserveHost',>
Back to top
mario198787



Joined: 05 Jun 2021
Posts: 6

PostPosted: Thu 10 Jun '21 23:34    Post subject: Reply with quote

Why do you think that default gateway is a problem? Without it, I haven't got a connection with network 192.128.1.0.
Back to top


Reply to topic   Topic: Apache reverse proxy View previous topic :: View next topic
Post new topic   Forum Index -> Apache