I'm using Apache as reverse proxy for several different projects. PCI-DSS compliance scanning shows that my Apache is having HTTP CONNECT method enabled.
as stated on Acunetix's site – http://www.acunetix.com/vulnerabilities/apache-proxy-http-connect-metho/
As far as I know, CONNECT is used by the web server to tunnel SSL to application server.
Any suggestion how should I fix this?
Otherwise, anyone know how should I perform the test if my Apache's HTTP CONNECT method is enabled/disabled?
I don't have much experience in networking nor configuring apache. Correct me if I wrote something silly.
Best Answer
You only need to allow the CONNECT method when you use a forward proxy configuration, in a reverse proxy configuration you won't even need to enable the connect method.
Apache should be configured to function as the "man-in-the-middle" if you will. Or called a SSL offloader of SSL termination point since the config is not malicious.
Typically apache is configured with your public ssl certificates and the requests that apache forwards to your application server are over plain HTTP. If you consider you own LAN hostile you can forward over HTTPS as well, but then apache will establish a second HTTPS connection.
Or alternatively: