Skip to content

Instantly share code, notes, and snippets.

@brccabral

brccabral/01_Apache2HTTPdProxyServer.md

Last active October 29, 2024 18:09
Show Gist options
  • Save brccabral/49b3007148a88b3f6f0f14181ffdccf5 to your computer and use it in GitHub Desktop.
Save brccabral/49b3007148a88b3f6f0f14181ffdccf5 to your computer and use it in GitHub Desktop.
Download ZIP
Apache2 HTTPd Proxy Server and LDAP
Raw
01_Apache2HTTPdProxyServer.md

Apache2 HTTPd

Proxy Server

Apache httpd server is listening 8081 (not default https port, I know) and another webserver is listening 8000.

Edit file D:\Apache24\conf\httpd.conf.

Enable these modules

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
# if using RewriteEngine/RewriteCond/RewriteRule
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so

Edit file D:\Apache24\conf\extra\httpd-ahssl.conf.
Configure <Location> and proxy settings

Listen 8081 https
...
...
<VirtualHost *:8081>
	ErrorLog "${SRVROOT}/logs/ssl_error.log"
	CustomLog "${SRVROOT}/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
	SSLEngine on
	ServerName example.com:8081
	SSLCertificateFile "${SRVROOT}/conf/ssl/example.com.cer"
	SSLCertificateKeyFile "${SRVROOT}/conf/ssl/example.com.key"
	DocumentRoot "${SRVROOT}/htdocs"
	# DocumentRoot access handled globally in httpd.conf
	<Directory "${SRVROOT}/htdocs">
		Options Indexes Includes FollowSymLinks
		AllowOverride AuthConfig Limit FileInfo
		Require all granted
	</Directory>

    # enable SSL for target
	SSLProxyEngine on
    # enable POST
	ProxyPreserveHost On

    # Add here your new url https://example.com:8001/url_path/
    # restrict access from htpasswd
	<Location /url_path >
		AuthName "Protected Area"
		AuthType Basic
		AuthUserFile "${SRVROOT}/conf/htpasswd"
		Require valid-user 
	</Location>
	ProxyPass /url_path https://example.com:8001/url_path/
	ProxyPassReverse /url_path https://example.com:8001/url_path/
  
    # another site on https://new_site.com:5000/enter/
	<Location /new_site >
		AuthName "Protected Area"
		AuthType Basic
		AuthUserFile "${SRVROOT}/conf/htpasswd"
		Require valid-user 
		ProxyPass https://new_site.com:5000/enter/
		ProxyPassReverse https://new_site.com:5000/enter/
	</Location>

    # if using websockets
	<Location /page_ws >		
		ProxyPass https://wsserver.com:8501/page_ws/
		ProxyPassReverse https://wsserver.com:8501/page_ws/
		RewriteEngine On
		RewriteCond %{HTTP:Upgrade} =websocket [NC]
		RewriteCond %{HTTP:Connection} upgrade [NC]
		# the question mark is important for some webservers (python)
		# as they get confused with trailing slashes
		RewriteRule /page_ws/?(.*) wss://wsserver.com:8501/page_ws/$1 [P,L]
		RewriteCond %{HTTP:Upgrade} !=websocket [NC]
		RewriteRule /page_ws/?(.*) https://wsserver.com:8501/page_ws/$1 [P,L]
	</Location>
    
</VirtualHost>

If needed, set example.com to your hosts file, /etc/hosts or C:\Windows\System32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 example.com

If needed, set httpd passwords

:: -c create with -B (bcrypt)
D:\Apache24\bin\htpasswd.exe -cB D:\Apache24\conf\htpasswd username
:: update with -B (bcrypt)
D:\Apache24\bin\htpasswd.exe -B D:\Apache24\conf\htpasswd username

LDAP

Edit file D:\Apache24\conf\httpd.conf. Enable these modules and setup LDAP cache params

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
...
...
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

Edit file D:\Apache24\conf\extra\httpd-ahssl.conf.

	<Location /secure_path >
		# other config like ProxyPass or ServerName
		...
		...
		LDAPReferrals Off

		AuthType Basic
		AuthName "Enter LDAP credentials"
		AuthBasicProvider ldap
		
		AuthLDAPURL ldaps://host:port/OU=Departament,DC=company,DC=com?sAMAccountName?sub?(objectClass=*)

		#AuthLDAPBindDN "CN=BindUser,OU=Departament,DC=company,DC=com"
		AuthLDAPBindDN "[email protected]"
		#AuthLDAPBindPassword "strong_and_secure_password"
		#AuthLDAPBindPassword ${ENV_VARIABLE}
		#AuthLDAPBindPassword "exec:cat /path/to/stored_file"
		AuthLDAPBindPassword exec:D:/path/to/decryption.bat

		Require ldap-attribute attrName="attrValue"
		#Require ldap-group XXX
	</Location>

Rotate Logs

https://httpd.apache.org/docs/2.4/programs/rotatelogs.html

<Type> <command> <format>

Type = ErrorLog, CustomLog, TransferLog
command = "|bin.rotatelogs.exe -l /path/to/file.%Y&m%d.%H%M%S.log <seconds>"
format = https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats

ErrorLog "|bin/rotatelogs.exe -l ${SRVROOT}/logs/ssl_error.%Y_%m_%d.log 86400"
CustomLog "|bin/rotatelogs.exe -l ${SRVROOT}/logs/ssl_request.%Y_%m_%d.log 86400" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Security

On Windows D:\Apache24\conf\httpd.conf uncomment Include conf/extra/httpd-default.conf.

On Windows D:\Apache24\conf\extra\httpd-default.conf, on Linux /etc/apache2/conf-enabled/security.conf.

  • Banner Grabbing - By default the server sends information about the system which an attacker can exploit, change these settings
# httpd-default.conf
# set to Prod
ServerTokens Prod
# set to Off
ServerSignature Off
# add this
RedirectMatch 404 /\.git

# php.ini
expose_php = Off
  • HSTS header - force the connection to use HTTPS, without it an attacker can downgrade the connection
# httpd.conf
LoadModule headers_module modules/mod_headers.so
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# httpd.conf
<Directory />
    Options +FollowSymLinks -Indexes
    AllowOverride none
    Require all denied
</Directory>
  • Disable phpinfo - phpinfo() can expose system details to an attacker
# httpd.conf
php_value disable_functions phpinfo

# php.ini
disable_functions = phpinfo
  • Cross site scripting (XSS) - an attacker can send <script> tags in forms fields.
# httpd.conf
LoadModule headers_module modules/mod_headers.so
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

<?php
$field = htmlspecialchars($_GET['field']);
  • Disclosure error messages - an attacker can exploit the system if the error disclosure details
# httpd.conf
php_flag display_errors off

# php.ini
display_errors = Off
  • Direct download - use a controlled script to allow files download

On Windows, download mod_sendfile from https://www.apachelounge.com/download/ . On Linux, check your distribution package manager.
Save mod_sendfile at C:\Apache24\modules.

# httpd.conf
LoadModule xsendfile_module modules/mod_xsendfile.so
XSendFile on
XSendFilePath "D:/secure/path"

<?php
// http://localhost/?file=myFile.pdf

// ! Check for permissions

$file_name = htmlspecialchars($_GET['file']);
$filepath = "D:\\secure\\path\\$file_name";

if (is_file($filepath))
{
    header("X-Sendfile: $filepath");
    header("Content-type: application/octet-stream");
    header('Content-Disposition: attachment; filename="' . basename($file_name) . '"');
}
else
{
    echo "<h1>File $file_name not found</h1>";
}
  • Disable TRACE/TRACK

When asking for example.com/foo/bar the server changes to example.com/foo.php?id=bar exposing server implementation to the attacker. Disable TRACE/TRACK methods.

# httpd.conf
TraceEnable Off

Also, search for Rewrite directives

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment