Ssl – CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability

apache-2.4node.jsreverse-proxysslvulnerabilities

My setup details:

  • OS : RHEL7
  • Webserver : Apache http server(SSL enabled)
  • AppContainer : NodeJS
  • Webserver connects to NodeJS via mod_proxy.

I blocked the connect method in apache http server using below config. But still the connect method vulnerability persists. Do I need to do anything on NodeJS side?

RewriteCond %{REQUEST_METHOD} !^(GET|POST|PUT|DELETE|HEAD)
RewriteRule .* – [R=405,L]

Best Answer

The most common reason for generic problem like this is not enabling mod_rewrite with RewriteEngine on in the context you RewriteRule was placed.

However even if that is the case, I would suggest using <Limit> or <LimitExcept> blocks, or even better do not load mod_proxy_connect at all so that the CONNECT method has no way of being used. If it's handled by you app of course, that would also need disabling.

Additional information after comments:

Do not modify the <Directory /> block that comes with your configuration, it should be left as is.

Also, do not (as I said in my comments) put the <Limit> block inside another block (in your case a <Directory> block. Configuration directives in a <Directory> block only take effect if the request is mapped to the file system, but you are proxying / to another service on example.com, which means no requests are mapped to the file system and so your <Limit> block will never take effect.

Related Topic