├── README.md ├── apisix └── demo1 │ ├── README.md │ ├── apisix │ └── conf.yaml │ ├── backend │ ├── Dockerfile │ ├── requirements.txt │ └── server.py │ ├── docker-compose.yml │ ├── start.sh │ └── static │ ├── 1.jpg │ ├── 2.jpg │ └── 3.jpg ├── haproxy └── demo1 │ ├── README.md │ ├── backend │ ├── Dockerfile │ ├── app.js │ ├── flask_pywsgi.py │ ├── requirements.txt │ ├── secret.txt │ └── socket_server.py │ ├── docker-compose.yml │ ├── haproxy │ └── haproxy.cfg │ ├── start.sh │ └── static │ ├── 0.jpg │ ├── 1.jpg │ └── 3.jpg ├── mod_proxy ├── demo1 │ ├── README.md │ ├── backend │ │ ├── Dockerfile │ │ ├── gunicorn_demo.py │ │ ├── requirements.txt │ │ └── socket_server.py │ ├── docker-compose.yml │ ├── httpd_mod_proxy │ │ ├── Dockerfile │ │ ├── httpd.conf │ │ ├── site.conf │ │ ├── ssl.crt │ │ └── ssl.key │ ├── start.sh │ └── static │ │ ├── 1.jpg │ │ ├── 2.jpg │ │ └── 3.png ├── demo2 │ ├── README.md │ ├── backend │ │ ├── Dockerfile │ │ ├── flask_backend.py │ │ └── requirements.txt │ ├── docker-compose.yml │ ├── httpd_mod_proxy │ │ ├── Dockerfile │ │ ├── httpd.conf │ │ ├── index.html │ │ └── site.conf │ ├── start.sh │ └── static │ │ └── 1.jpg └── demo3 │ ├── README.md │ ├── backend │ ├── Dockerfile │ ├── flask_backend.py │ └── requirements.txt │ ├── docker-compose.yml │ ├── httpd_mod_proxy │ ├── Dockerfile │ ├── httpd.conf │ ├── index.html │ └── site.conf │ ├── start.sh │ └── static │ ├── 1.png │ └── 2.png ├── nginx ├── demo1 │ ├── README.md │ ├── backend │ │ ├── Dockerfile │ │ ├── gunicorn_demo.py │ │ └── requirements.txt │ ├── docker-compose.yml │ ├── nginx │ │ ├── Dockerfile │ │ ├── nginx.conf │ │ └── project.conf │ ├── start.sh │ └── static │ │ └── 1.jpg ├── demo2 │ ├── README.md │ ├── docker-compose.yml │ ├── nginx │ │ ├── Dockerfile │ │ ├── nginx.conf │ │ └── project.conf │ ├── start.sh │ └── static │ │ └── 1.jpg ├── demo3 │ ├── README.md │ ├── docker-compose.yml │ ├── nginx │ │ ├── Dockerfile │ │ ├── nginx.conf │ │ └── project.conf │ ├── start.sh │ └── static │ │ ├── 1.jpg │ │ └── 2.jpg ├── demo4 │ ├── README.md │ ├── docker-compose.yml │ ├── img.png │ ├── nginx │ │ ├── Dockerfile │ │ └── nginx.conf │ └── start.sh └── demo5 │ ├── README.md │ ├── backend │ ├── Dockerfile │ ├── gunicorn_demo.py │ └── requirements.txt │ ├── docker-compose.yml │ ├── img.png │ ├── nginx │ ├── Dockerfile │ └── nginx.conf │ └── start.sh └── squid └── demo1 ├── README.md ├── backend ├── Dockerfile ├── requirements.txt ├── secret.txt └── server.py ├── docker-compose.yml ├── squid └── squid.conf ├── start.sh └── static └── 1.jpg /README.md: -------------------------------------------------------------------------------- 1 | # Nginx 2 | [Nginx 场景绕过之一: URL white spaces + Gunicorn](https://github.com/CHYbeta/OddProxyDemo/blob/master/nginx/demo1/README.md) 3 | 4 | [Nginx 场景绕过之二: 斜杠(trailing slash) 与 #(Weblogic为例)](https://github.com/CHYbeta/OddProxyDemo/blob/master/nginx/demo2/README.md) 5 | 6 | [Nginx 场景绕过之三: 斜杠(trailing slash) 与 ;(Weblogic为例)](https://github.com/CHYbeta/OddProxyDemo/blob/master/nginx/demo3/README.md) 7 | 8 | [Nginx 场景之四: Nginx X-Accel-Redirect 导致的文件读取](https://github.com/CHYbeta/OddProxyDemo/tree/master/nginx/demo5) 9 | 10 | # Squid 11 | [Squid 场景绕过之一: URN bypass ACL](https://github.com/CHYbeta/OddProxyDemo/blob/master/squid/demo1/README.md) 12 | 13 | # HAProxy 14 | [HAProxy 场景绕过之一: CVE-2021-40346 Content-Length 整型溢出与HTTP Request Smuggling](https://github.com/CHYbeta/OddProxyDemo/tree/master/haproxy/demo1) 15 | 16 | # mod_proxy 17 | [Apache Module mod_proxy 场景绕过之一: Request Method white spaces + Gunicorn CVE-2021-33193](https://github.com/CHYbeta/OddProxyDemo/tree/master/mod_proxy/demo1) 18 | 19 | [Apache Module mod_proxy 场景绕过之二: SSRF CVE-2021-40438](https://github.com/CHYbeta/OddProxyDemo/tree/master/mod_proxy/demo2) -------------------------------------------------------------------------------- /apisix/demo1/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | 规则 11 | ``` 12 | "block_rules": ["^/private(/?).*"] 13 | ``` 14 | 15 | 访问 `/public` ,访问到后端的 public 16 | 17 | ![](static/1.jpg) 18 | 19 | 20 | 访问 `/private` ,触发 block_rules 策略,被拦截。 21 | ![](static/2.jpg) 22 | 23 | 绕过 24 | ![](static/3.png) 25 | 26 | 具体可参考 [Apache APISIX uri-blocker 场景绕过之一:$request_uri](https://articles.zsxq.com/id_6owftl6j1iw8.html) 27 | 28 | 29 | -------------------------------------------------------------------------------- /apisix/demo1/apisix/conf.yaml: -------------------------------------------------------------------------------- 1 | apisix: 2 | node_listen: 9080 # APISIX listening port 3 | enable_ipv6: false 4 | 5 | allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow 6 | - 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test. 7 | 8 | admin_key: 9 | - name: "admin" 10 | key: edd1c9f034335f136f87ad84b625c8f1 11 | role: admin # admin: manage all configuration data 12 | # viewer: only can view configuration data 13 | 14 | etcd: 15 | host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. 16 | - "http://etcd:2379" # multiple etcd address 17 | prefix: "/apisix" # apisix configurations prefix 18 | timeout: 30 # 30 seconds 19 | 20 | -------------------------------------------------------------------------------- /apisix/demo1/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6.7 2 | 3 | RUN mkdir -p /backend 4 | COPY . /backend 5 | WORKDIR /backend 6 | 7 | RUN python3 -m pip install -r requirements.txt 8 | -------------------------------------------------------------------------------- /apisix/demo1/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | flask -------------------------------------------------------------------------------- /apisix/demo1/backend/server.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, Response 2 | 3 | app = Flask(__name__) 4 | 5 | 6 | @app.route('/public', methods=['GET']) 7 | def public(): 8 | return "public" 9 | 10 | 11 | @app.route('/private', methods=['GET']) 12 | def secret(): 13 | return "private" 14 | 15 | 16 | if __name__ == "__main__": 17 | app.run(debug=True, host="0.0.0.0", port=8000) 18 | -------------------------------------------------------------------------------- /apisix/demo1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | backend: 6 | container_name: chybeta.apisix.demo1.backend 7 | restart: always 8 | build: ./backend 9 | ports: 10 | - "8000:8000" 11 | command: python3 server.py 12 | networks: 13 | apisix: 14 | 15 | apisix: 16 | image: apache/apisix:2.10.0-alpine 17 | container_name: chybeta.apisix.demo1.apisix 18 | restart: always 19 | volumes: 20 | - ./apisix/conf.yaml:/usr/local/apisix/conf/config.yaml 21 | depends_on: 22 | - etcd 23 | ##network_mode: host 24 | ports: 25 | - "9080:9080/tcp" 26 | networks: 27 | apisix: 28 | 29 | etcd: 30 | image: bitnami/etcd:3.4.15 31 | container_name: chybeta.apisix.demo1.etcd 32 | restart: always 33 | environment: 34 | ETCD_ENABLE_V2: "true" 35 | ALLOW_NONE_AUTHENTICATION: "yes" 36 | ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379" 37 | ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" 38 | ports: 39 | - "2379:2379/tcp" 40 | networks: 41 | apisix: 42 | 43 | networks: 44 | apisix: 45 | driver: bridge -------------------------------------------------------------------------------- /apisix/demo1/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | docker-compose up --build -d 5 | 6 | sleep 5 7 | 8 | curl -i http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' 9 | { 10 | "uri": "/*", 11 | "plugins": { 12 | "uri-blocker": { 13 | "block_rules": ["^/private(/?).*"] 14 | } 15 | }, 16 | "upstream": { 17 | "type": "roundrobin", 18 | "nodes": { 19 | "backend:8000": 1 20 | } 21 | } 22 | }' 23 | -------------------------------------------------------------------------------- /apisix/demo1/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/apisix/demo1/static/1.jpg -------------------------------------------------------------------------------- /apisix/demo1/static/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/apisix/demo1/static/2.jpg -------------------------------------------------------------------------------- /apisix/demo1/static/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/apisix/demo1/static/3.jpg -------------------------------------------------------------------------------- /haproxy/demo1/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | 访问 secret,被 HAProxy策略 403 11 | ![](static/3.jpg) 12 | 13 | 绕过 14 | ![](static/0.jpg) 15 | ![](static/1.jpg) 16 | 17 | 具体分析见 [HAProxy 场景绕过之一: CVE-2021-40346 Content-Length 整型溢出与HTTP Request Smuggling](https://t.zsxq.com/vjIEUfq) -------------------------------------------------------------------------------- /haproxy/demo1/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | #FROM node:12.18.1 2 | #RUN mkdir -p /backend 3 | #COPY . /backend 4 | #WORKDIR /backend 5 | 6 | FROM python:3.6.7 7 | 8 | RUN mkdir -p /backend 9 | COPY . /backend 10 | WORKDIR /backend 11 | 12 | RUN python3 -m pip install -r requirements.txt 13 | -------------------------------------------------------------------------------- /haproxy/demo1/backend/app.js: -------------------------------------------------------------------------------- 1 | var http = require('http'); 2 | 3 | http.createServer(function (req, res) { 4 | res.writeHead(200, {'Content-Type': 'text/plain'}); 5 | var url = req.url; 6 | console.log(url); 7 | if (url === '/secret') { 8 | console.log("hit secret") 9 | res.end("secret\n"); 10 | } else { 11 | res.end("public\n"); 12 | } 13 | }).listen(8000, function () { 14 | console.log("server start at port 8000"); 15 | }); -------------------------------------------------------------------------------- /haproxy/demo1/backend/flask_pywsgi.py: -------------------------------------------------------------------------------- 1 | import logging 2 | 3 | from flask import Flask 4 | from gevent.pywsgi import WSGIServer 5 | from geventwebsocket.handler import WebSocketHandler 6 | 7 | logging.basicConfig(level=logging.INFO) 8 | 9 | app = Flask(__name__) 10 | 11 | 12 | @app.route('/secret', methods=['GET', 'POST']) 13 | def secret(): 14 | logging.info("hit secret.") 15 | return "secret" 16 | 17 | 18 | @app.route('/public', methods=['GET', 'POST']) 19 | def public(): 20 | logging.info("hit public.") 21 | return "public" 22 | 23 | 24 | if __name__ == "__main__": 25 | http_server = WSGIServer(('0.0.0.0', 8000), app, handler_class=WebSocketHandler) 26 | http_server.serve_forever() 27 | -------------------------------------------------------------------------------- /haproxy/demo1/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | flask 2 | gevent 3 | gevent-websocket -------------------------------------------------------------------------------- /haproxy/demo1/backend/secret.txt: -------------------------------------------------------------------------------- 1 | private -------------------------------------------------------------------------------- /haproxy/demo1/backend/socket_server.py: -------------------------------------------------------------------------------- 1 | import multiprocessing 2 | import socket 3 | 4 | 5 | def handle(connection, address): 6 | import logging 7 | logging.basicConfig(level=logging.DEBUG) 8 | logger = logging.getLogger("process-%r" % (address,)) 9 | try: 10 | logger.debug("Connected %r at %r", connection, address) 11 | while True: 12 | data = connection.recv(1024) 13 | if data == "": 14 | logger.debug("Socket closed remotely") 15 | break 16 | logger.debug("Received data %r", data) 17 | connection.sendall(data) 18 | logger.debug("Sent data") 19 | except: 20 | logger.exception("Problem handling request") 21 | finally: 22 | logger.debug("Closing socket") 23 | connection.close() 24 | 25 | 26 | class Server(object): 27 | def __init__(self, hostname, port): 28 | import logging 29 | self.logger = logging.getLogger("server") 30 | self.hostname = hostname 31 | self.port = port 32 | 33 | def start(self): 34 | self.logger.debug("listening") 35 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | self.socket.bind((self.hostname, self.port)) 37 | self.socket.listen(1) 38 | 39 | while True: 40 | conn, address = self.socket.accept() 41 | self.logger.debug("Got connection") 42 | process = multiprocessing.Process(target=handle, args=(conn, address)) 43 | process.daemon = True 44 | process.start() 45 | self.logger.debug("Started process %r", process) 46 | 47 | 48 | if __name__ == "__main__": 49 | import logging 50 | 51 | logging.basicConfig(level=logging.DEBUG) 52 | server = Server("0.0.0.0", 8000) 53 | try: 54 | logging.info("Listening") 55 | server.start() 56 | except: 57 | logging.exception("Unexpected exception") 58 | finally: 59 | logging.info("Shutting down") 60 | for process in multiprocessing.active_children(): 61 | logging.info("Shutting down process %r", process) 62 | process.terminate() 63 | process.join() 64 | logging.info("All done") 65 | -------------------------------------------------------------------------------- /haproxy/demo1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | backend_server1: 5 | build: ./backend 6 | expose: 7 | - 8000 8 | # command: node app.js 9 | command: python3 flask_pywsgi.py 10 | 11 | haproxy: 12 | image: haproxy:2.4.3-alpine 13 | volumes: 14 | - ./haproxy:/haproxy-override 15 | - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro 16 | links: 17 | - backend_server1 18 | ports: 19 | - "80:8888" -------------------------------------------------------------------------------- /haproxy/demo1/haproxy/haproxy.cfg: -------------------------------------------------------------------------------- 1 | global 2 | daemon 3 | maxconn 256 4 | 5 | defaults 6 | log global 7 | mode http 8 | option httplog 9 | option dontlognull 10 | timeout connect 5000ms 11 | timeout client 50000ms 12 | timeout server 50000ms 13 | 14 | frontend balancer 15 | bind 0.0.0.0:8888 16 | mode http 17 | default_backend backend_server 18 | http-request deny if { path_beg /secret } 19 | 20 | backend backend_server 21 | option http-keep-alive 22 | option forwardfor 23 | server backend_server1 backend_server1:8000 maxconn 32 24 | -------------------------------------------------------------------------------- /haproxy/demo1/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /haproxy/demo1/static/0.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/haproxy/demo1/static/0.jpg -------------------------------------------------------------------------------- /haproxy/demo1/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/haproxy/demo1/static/1.jpg -------------------------------------------------------------------------------- /haproxy/demo1/static/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/haproxy/demo1/static/3.jpg -------------------------------------------------------------------------------- /mod_proxy/demo1/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | 规则 11 | ``` 12 | ProxyPassMatch "/backend/private" ! 13 | ProxyPass "/backend" http://backend_server1:5000 14 | ``` 15 | 16 | 访问 `/backend/public` ,触发 Apache httpd 的 ProxyPass 策略,访问到后端的 public 17 | 18 | ![](static/1.jpg) 19 | 20 | 21 | 访问 `/backend/private` ,触发 Apache httpd 的 ProxyPassMatch 策略,被拦截没有转发 22 | ![](static/2.jpg) 23 | 24 | 绕过 25 | ![](static/3.png) 26 | 27 | 具体可参考 [Apache Module mod_proxy 场景绕过之一: Request Method white spaces](https://t.zsxq.com/eiM37Y3) 28 | 29 | # Reference 30 | https://httpd.apache.org/security/vulnerabilities_24.html -------------------------------------------------------------------------------- /mod_proxy/demo1/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6.7 2 | 3 | RUN mkdir -p /backend 4 | COPY . /backend 5 | WORKDIR /backend 6 | 7 | RUN python3 -m pip install -r requirements.txt 8 | -------------------------------------------------------------------------------- /mod_proxy/demo1/backend/gunicorn_demo.py: -------------------------------------------------------------------------------- 1 | from flask import Flask 2 | 3 | app = Flask(__name__) 4 | 5 | 6 | @app.route('/public', methods=['GET']) 7 | def public(): 8 | return "public endpoint" 9 | 10 | 11 | @app.route('/private', methods=['GET']) 12 | def private(): 13 | return "private endpoint" 14 | 15 | 16 | if __name__ == "__main__": 17 | app.run(host="0.0.0.0", port="5000") 18 | -------------------------------------------------------------------------------- /mod_proxy/demo1/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | gunicorn 2 | flask -------------------------------------------------------------------------------- /mod_proxy/demo1/backend/socket_server.py: -------------------------------------------------------------------------------- 1 | import multiprocessing 2 | import socket 3 | 4 | 5 | def handle(connection, address): 6 | import logging 7 | logging.basicConfig(level=logging.DEBUG) 8 | logger = logging.getLogger("process-%r" % (address,)) 9 | try: 10 | logger.debug("Connected %r at %r", connection, address) 11 | while True: 12 | data = connection.recv(1024) 13 | if data == "": 14 | logger.debug("Socket closed remotely") 15 | break 16 | logger.debug("Received data %r", data) 17 | connection.sendall(data) 18 | logger.debug("Sent data") 19 | except: 20 | logger.exception("Problem handling request") 21 | finally: 22 | logger.debug("Closing socket") 23 | connection.close() 24 | 25 | 26 | class Server(object): 27 | def __init__(self, hostname, port): 28 | import logging 29 | self.logger = logging.getLogger("server") 30 | self.hostname = hostname 31 | self.port = port 32 | 33 | def start(self): 34 | self.logger.debug("listening") 35 | self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 36 | self.socket.bind((self.hostname, self.port)) 37 | self.socket.listen(1) 38 | 39 | while True: 40 | conn, address = self.socket.accept() 41 | self.logger.debug("Got connection") 42 | process = multiprocessing.Process(target=handle, args=(conn, address)) 43 | process.daemon = True 44 | process.start() 45 | self.logger.debug("Started process %r", process) 46 | 47 | 48 | if __name__ == "__main__": 49 | import logging 50 | 51 | logging.basicConfig(level=logging.DEBUG) 52 | server = Server("0.0.0.0", 5000) 53 | try: 54 | logging.info("Listening") 55 | server.start() 56 | except: 57 | logging.exception("Unexpected exception") 58 | finally: 59 | logging.info("Shutting down") 60 | for process in multiprocessing.active_children(): 61 | logging.info("Shutting down process %r", process) 62 | process.terminate() 63 | process.join() 64 | logging.info("All done") 65 | -------------------------------------------------------------------------------- /mod_proxy/demo1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | backend_server1: 5 | build: ./backend 6 | expose: 7 | - 5000 8 | command: gunicorn -w 1 -b :5000 gunicorn_demo:app 9 | # command: python3 socket_server.py 10 | 11 | httpd_mod_proxy: 12 | build: ./httpd_mod_proxy 13 | links: 14 | - backend_server1 15 | ports: 16 | - 443:443 17 | -------------------------------------------------------------------------------- /mod_proxy/demo1/httpd_mod_proxy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM httpd:2.4.47 2 | 3 | # to Copy a file named httpd.conf from present working directory to the /usr/local/apache2/conf inside the container 4 | # I have taken the Standard httpd.conf file and enabled the necassary modules and adding Support for an additional Directory 5 | COPY httpd.conf /usr/local/apache2/conf/httpd.conf 6 | COPY ssl.crt /usr/local/apache2/conf/server.crt 7 | COPY ssl.key /usr/local/apache2/conf/server.key 8 | COPY site.conf /usr/local/apache2/conf/sites/site.conf 9 | 10 | 11 | # This is the Additional Directory where we are going to keep our Virtualhost configuraiton files 12 | # You can use the image to create N number of different virtual hosts 13 | 14 | # To tell docker to expose this port 15 | EXPOSE 443 16 | 17 | # The Base command, This command should be used to start the container 18 | # Remember, A Container is a Process.As long as the base process (started by base cmd) is live the Container will be ALIVE. 19 | CMD ["httpd", "-D", "FOREGROUND"] -------------------------------------------------------------------------------- /mod_proxy/demo1/httpd_mod_proxy/httpd.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This is the main Apache HTTP server configuration file. It contains the 3 | # configuration directives that give the server its instructions. 4 | # See for detailed information. 5 | # In particular, see 6 | # 7 | # for a discussion of each configuration directive. 8 | # 9 | # Do NOT simply read the instructions in here without understanding 10 | # what they do. They're here only as hints or reminders. If you are unsure 11 | # consult the online docs. You have been warned. 12 | # 13 | # Configuration and logfile names: If the filenames you specify for many 14 | # of the server's control files begin with "/" (or "drive:/" for Win32), the 15 | # server will use that explicit path. If the filenames do *not* begin 16 | # with "/", the value of ServerRoot is prepended -- so "logs/access_log" 17 | # with ServerRoot set to "/usr/local/apache2" will be interpreted by the 18 | # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 19 | # will be interpreted as '/logs/access_log'. 20 | 21 | # 22 | # ServerRoot: The top of the directory tree under which the server's 23 | # configuration, error, and log files are kept. 24 | # 25 | # Do not add a slash at the end of the directory path. If you point 26 | # ServerRoot at a non-local disk, be sure to specify a local disk on the 27 | # Mutex directive, if file-based mutexes are used. If you wish to share the 28 | # same ServerRoot for multiple httpd daemons, you will need to change at 29 | # least PidFile. 30 | # 31 | ServerRoot "/usr/local/apache2" 32 | 33 | # 34 | # Mutex: Allows you to set the mutex mechanism and mutex file directory 35 | # for individual mutexes, or change the global defaults 36 | # 37 | # Uncomment and change the directory if mutexes are file-based and the default 38 | # mutex file directory is not on a local disk or is not appropriate for some 39 | # other reason. 40 | # 41 | # Mutex default:logs 42 | 43 | # 44 | # Listen: Allows you to bind Apache to specific IP addresses and/or 45 | # ports, instead of the default. See also the 46 | # directive. 47 | # 48 | # Change this to Listen on specific IP addresses as shown below to 49 | # prevent Apache from glomming onto all bound IP addresses. 50 | # 51 | #Listen 12.34.56.78:80 52 | Listen 80 53 | 54 | # 55 | # Dynamic Shared Object (DSO) Support 56 | # 57 | # To be able to use the functionality of a module which was built as a DSO you 58 | # have to place corresponding `LoadModule' lines at this location so the 59 | # directives contained in it are actually available _before_ they are used. 60 | # Statically compiled modules (those listed by `httpd -l') do not need 61 | # to be loaded here. 62 | # 63 | # Example: 64 | # LoadModule foo_module modules/mod_foo.so 65 | # 66 | LoadModule mpm_event_module modules/mod_mpm_event.so 67 | #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so 68 | #LoadModule mpm_worker_module modules/mod_mpm_worker.so 69 | LoadModule authn_file_module modules/mod_authn_file.so 70 | #LoadModule authn_dbm_module modules/mod_authn_dbm.so 71 | #LoadModule authn_anon_module modules/mod_authn_anon.so 72 | #LoadModule authn_dbd_module modules/mod_authn_dbd.so 73 | #LoadModule authn_socache_module modules/mod_authn_socache.so 74 | LoadModule authn_core_module modules/mod_authn_core.so 75 | LoadModule authz_host_module modules/mod_authz_host.so 76 | LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 77 | LoadModule authz_user_module modules/mod_authz_user.so 78 | #LoadModule authz_dbm_module modules/mod_authz_dbm.so 79 | #LoadModule authz_owner_module modules/mod_authz_owner.so 80 | #LoadModule authz_dbd_module modules/mod_authz_dbd.so 81 | LoadModule authz_core_module modules/mod_authz_core.so 82 | #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 83 | #LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so 84 | LoadModule access_compat_module modules/mod_access_compat.so 85 | LoadModule auth_basic_module modules/mod_auth_basic.so 86 | #LoadModule auth_form_module modules/mod_auth_form.so 87 | #LoadModule auth_digest_module modules/mod_auth_digest.so 88 | #LoadModule allowmethods_module modules/mod_allowmethods.so 89 | #LoadModule isapi_module modules/mod_isapi.so 90 | #LoadModule file_cache_module modules/mod_file_cache.so 91 | #LoadModule cache_module modules/mod_cache.so 92 | #LoadModule cache_disk_module modules/mod_cache_disk.so 93 | #LoadModule cache_socache_module modules/mod_cache_socache.so 94 | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 95 | #LoadModule socache_dbm_module modules/mod_socache_dbm.so 96 | #LoadModule socache_memcache_module modules/mod_socache_memcache.so 97 | #LoadModule socache_redis_module modules/mod_socache_redis.so 98 | LoadModule watchdog_module modules/mod_watchdog.so 99 | #LoadModule macro_module modules/mod_macro.so 100 | #LoadModule dbd_module modules/mod_dbd.so 101 | #LoadModule bucketeer_module modules/mod_bucketeer.so 102 | #LoadModule dumpio_module modules/mod_dumpio.so 103 | #LoadModule echo_module modules/mod_echo.so 104 | #LoadModule example_hooks_module modules/mod_example_hooks.so 105 | #LoadModule case_filter_module modules/mod_case_filter.so 106 | #LoadModule case_filter_in_module modules/mod_case_filter_in.so 107 | #LoadModule example_ipc_module modules/mod_example_ipc.so 108 | #LoadModule buffer_module modules/mod_buffer.so 109 | #LoadModule data_module modules/mod_data.so 110 | #LoadModule ratelimit_module modules/mod_ratelimit.so 111 | LoadModule reqtimeout_module modules/mod_reqtimeout.so 112 | #LoadModule ext_filter_module modules/mod_ext_filter.so 113 | #LoadModule request_module modules/mod_request.so 114 | #LoadModule include_module modules/mod_include.so 115 | LoadModule filter_module modules/mod_filter.so 116 | #LoadModule reflector_module modules/mod_reflector.so 117 | #LoadModule substitute_module modules/mod_substitute.so 118 | #LoadModule sed_module modules/mod_sed.so 119 | #LoadModule charset_lite_module modules/mod_charset_lite.so 120 | #LoadModule deflate_module modules/mod_deflate.so 121 | #LoadModule xml2enc_module modules/mod_xml2enc.so 122 | #LoadModule proxy_html_module modules/mod_proxy_html.so 123 | LoadModule mime_module modules/mod_mime.so 124 | #LoadModule ldap_module modules/mod_ldap.so 125 | LoadModule log_config_module modules/mod_log_config.so 126 | #LoadModule log_debug_module modules/mod_log_debug.so 127 | #LoadModule log_forensic_module modules/mod_log_forensic.so 128 | #LoadModule logio_module modules/mod_logio.so 129 | #LoadModule lua_module modules/mod_lua.so 130 | LoadModule env_module modules/mod_env.so 131 | #LoadModule mime_magic_module modules/mod_mime_magic.so 132 | #LoadModule cern_meta_module modules/mod_cern_meta.so 133 | #LoadModule expires_module modules/mod_expires.so 134 | LoadModule headers_module modules/mod_headers.so 135 | #LoadModule ident_module modules/mod_ident.so 136 | #LoadModule usertrack_module modules/mod_usertrack.so 137 | #LoadModule unique_id_module modules/mod_unique_id.so 138 | LoadModule setenvif_module modules/mod_setenvif.so 139 | LoadModule version_module modules/mod_version.so 140 | #LoadModule remoteip_module modules/mod_remoteip.so 141 | LoadModule proxy_module modules/mod_proxy.so 142 | # LoadModule proxy_connect_module modules/mod_proxy_connect.so 143 | # LoadModule proxy_ftp_module modules/mod_proxy_ftp.so 144 | LoadModule proxy_http_module modules/mod_proxy_http.so 145 | # LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so 146 | # LoadModule proxy_scgi_module modules/mod_proxy_scgi.so 147 | LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so 148 | # LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so 149 | # LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 150 | # LoadModule proxy_ajp_module modules/mod_proxy_ajp.so 151 | # LoadModule proxy_balancer_module modules/mod_proxy_balancer.so 152 | # LoadModule proxy_express_module modules/mod_proxy_express.so 153 | # LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so 154 | #LoadModule session_module modules/mod_session.so 155 | #LoadModule session_cookie_module modules/mod_session_cookie.so 156 | #LoadModule session_crypto_module modules/mod_session_crypto.so 157 | #LoadModule session_dbd_module modules/mod_session_dbd.so 158 | LoadModule slotmem_shm_module modules/mod_slotmem_shm.so 159 | #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so 160 | LoadModule ssl_module modules/mod_ssl.so 161 | #LoadModule optional_hook_export_module modules/mod_optional_hook_export.so 162 | #LoadModule optional_hook_import_module modules/mod_optional_hook_import.so 163 | #LoadModule optional_fn_import_module modules/mod_optional_fn_import.so 164 | #LoadModule optional_fn_export_module modules/mod_optional_fn_export.so 165 | #LoadModule dialup_module modules/mod_dialup.so 166 | LoadModule http2_module modules/mod_http2.so 167 | LoadModule proxy_http2_module modules/mod_proxy_http2.so 168 | #LoadModule md_module modules/mod_md.so 169 | LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so 170 | LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so 171 | LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so 172 | LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so 173 | LoadModule unixd_module modules/mod_unixd.so 174 | #LoadModule heartbeat_module modules/mod_heartbeat.so 175 | #LoadModule heartmonitor_module modules/mod_heartmonitor.so 176 | #LoadModule dav_module modules/mod_dav.so 177 | LoadModule status_module modules/mod_status.so 178 | LoadModule autoindex_module modules/mod_autoindex.so 179 | #LoadModule asis_module modules/mod_asis.so 180 | #LoadModule info_module modules/mod_info.so 181 | #LoadModule suexec_module modules/mod_suexec.so 182 | 183 | #LoadModule cgid_module modules/mod_cgid.so 184 | 185 | 186 | #LoadModule cgi_module modules/mod_cgi.so 187 | 188 | #LoadModule dav_fs_module modules/mod_dav_fs.so 189 | #LoadModule dav_lock_module modules/mod_dav_lock.so 190 | #LoadModule vhost_alias_module modules/mod_vhost_alias.so 191 | #LoadModule negotiation_module modules/mod_negotiation.so 192 | LoadModule dir_module modules/mod_dir.so 193 | #LoadModule imagemap_module modules/mod_imagemap.so 194 | #LoadModule actions_module modules/mod_actions.so 195 | #LoadModule speling_module modules/mod_speling.so 196 | #LoadModule userdir_module modules/mod_userdir.so 197 | LoadModule alias_module modules/mod_alias.so 198 | #LoadModule rewrite_module modules/mod_rewrite.so 199 | 200 | 201 | # 202 | # If you wish httpd to run as a different user or group, you must run 203 | # httpd as root initially and it will switch. 204 | # 205 | # User/Group: The name (or #number) of the user/group to run httpd as. 206 | # It is usually good practice to create a dedicated user and group for 207 | # running httpd, as with most system services. 208 | # 209 | User daemon 210 | Group daemon 211 | 212 | 213 | 214 | # 'Main' server configuration 215 | # 216 | # The directives in this section set up the values used by the 'main' 217 | # server, which responds to any requests that aren't handled by a 218 | # definition. These values also provide defaults for 219 | # any containers you may define later in the file. 220 | # 221 | # All of these directives may appear inside containers, 222 | # in which case these default settings will be overridden for the 223 | # virtual host being defined. 224 | # 225 | 226 | # 227 | # ServerAdmin: Your address, where problems with the server should be 228 | # e-mailed. This address appears on some server-generated pages, such 229 | # as error documents. e.g. admin@your-domain.com 230 | # 231 | ServerAdmin you@example.com 232 | 233 | # 234 | # ServerName gives the name and port that the server uses to identify itself. 235 | # This can often be determined automatically, but we recommend you specify 236 | # it explicitly to prevent problems during startup. 237 | # 238 | # If your host doesn't have a registered DNS name, enter its IP address here. 239 | # 240 | #ServerName www.example.com:80 241 | 242 | # 243 | # Deny access to the entirety of your server's filesystem. You must 244 | # explicitly permit access to web content directories in other 245 | # blocks below. 246 | # 247 | 248 | AllowOverride none 249 | Require all denied 250 | 251 | 252 | # 253 | # Note that from this point forward you must specifically allow 254 | # particular features to be enabled - so if something's not working as 255 | # you might expect, make sure that you have specifically enabled it 256 | # below. 257 | # 258 | 259 | # 260 | # DocumentRoot: The directory out of which you will serve your 261 | # documents. By default, all requests are taken from this directory, but 262 | # symbolic links and aliases may be used to point to other locations. 263 | # 264 | DocumentRoot "/usr/local/apache2/htdocs" 265 | 266 | # 267 | # Possible values for the Options directive are "None", "All", 268 | # or any combination of: 269 | # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews 270 | # 271 | # Note that "MultiViews" must be named *explicitly* --- "Options All" 272 | # doesn't give it to you. 273 | # 274 | # The Options directive is both complicated and important. Please see 275 | # http://httpd.apache.org/docs/2.4/mod/core.html#options 276 | # for more information. 277 | # 278 | Options Indexes FollowSymLinks 279 | 280 | # 281 | # AllowOverride controls what directives may be placed in .htaccess files. 282 | # It can be "All", "None", or any combination of the keywords: 283 | # AllowOverride FileInfo AuthConfig Limit 284 | # 285 | AllowOverride None 286 | 287 | # 288 | # Controls who can get stuff from this server. 289 | # 290 | Require all granted 291 | 292 | 293 | # 294 | # DirectoryIndex: sets the file that Apache will serve if a directory 295 | # is requested. 296 | # 297 | 298 | DirectoryIndex index.html 299 | 300 | 301 | # 302 | # The following lines prevent .htaccess and .htpasswd files from being 303 | # viewed by Web clients. 304 | # 305 | 306 | Require all denied 307 | 308 | 309 | # 310 | # ErrorLog: The location of the error log file. 311 | # If you do not specify an ErrorLog directive within a 312 | # container, error messages relating to that virtual host will be 313 | # logged here. If you *do* define an error logfile for a 314 | # container, that host's errors will be logged there and not here. 315 | # 316 | ErrorLog /proc/self/fd/2 317 | 318 | # 319 | # LogLevel: Control the number of messages logged to the error_log. 320 | # Possible values include: debug, info, notice, warn, error, crit, 321 | # alert, emerg. 322 | # 323 | LogLevel warn 324 | 325 | 326 | # 327 | # The following directives define some format nicknames for use with 328 | # a CustomLog directive (see below). 329 | # 330 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 331 | LogFormat "%h %l %u %t \"%r\" %>s %b" common 332 | 333 | 334 | # You need to enable mod_logio.c to use %I and %O 335 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio 336 | 337 | 338 | # 339 | # The location and format of the access logfile (Common Logfile Format). 340 | # If you do not define any access logfiles within a 341 | # container, they will be logged here. Contrariwise, if you *do* 342 | # define per- access logfiles, transactions will be 343 | # logged therein and *not* in this file. 344 | # 345 | CustomLog /proc/self/fd/1 common 346 | 347 | # 348 | # If you prefer a logfile with access, agent, and referer information 349 | # (Combined Logfile Format) you can use the following directive. 350 | # 351 | #CustomLog "logs/access_log" combined 352 | 353 | 354 | 355 | # 356 | # Redirect: Allows you to tell clients about documents that used to 357 | # exist in your server's namespace, but do not anymore. The client 358 | # will make a new request for the document at its new location. 359 | # Example: 360 | # Redirect permanent /foo http://www.example.com/bar 361 | 362 | # 363 | # Alias: Maps web paths into filesystem paths and is used to 364 | # access content that does not live under the DocumentRoot. 365 | # Example: 366 | # Alias /webpath /full/filesystem/path 367 | # 368 | # If you include a trailing / on /webpath then the server will 369 | # require it to be present in the URL. You will also likely 370 | # need to provide a section to allow access to 371 | # the filesystem path. 372 | 373 | # 374 | # ScriptAlias: This controls which directories contain server scripts. 375 | # ScriptAliases are essentially the same as Aliases, except that 376 | # documents in the target directory are treated as applications and 377 | # run by the server when requested rather than as documents sent to the 378 | # client. The same rules about trailing "/" apply to ScriptAlias 379 | # directives as to Alias. 380 | # 381 | ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" 382 | 383 | 384 | 385 | 386 | # 387 | # ScriptSock: On threaded servers, designate the path to the UNIX 388 | # socket used to communicate with the CGI daemon of mod_cgid. 389 | # 390 | #Scriptsock cgisock 391 | 392 | 393 | # 394 | # "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased 395 | # CGI directory exists, if you have that configured. 396 | # 397 | 398 | AllowOverride None 399 | Options None 400 | Require all granted 401 | 402 | 403 | 404 | # 405 | # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied 406 | # backend servers which have lingering "httpoxy" defects. 407 | # 'Proxy' request header is undefined by the IETF, not listed by IANA 408 | # 409 | RequestHeader unset Proxy early 410 | 411 | 412 | 413 | # 414 | # TypesConfig points to the file containing the list of mappings from 415 | # filename extension to MIME-type. 416 | # 417 | TypesConfig conf/mime.types 418 | 419 | # 420 | # AddType allows you to add to or override the MIME configuration 421 | # file specified in TypesConfig for specific file types. 422 | # 423 | #AddType application/x-gzip .tgz 424 | # 425 | # AddEncoding allows you to have certain browsers uncompress 426 | # information on the fly. Note: Not all browsers support this. 427 | # 428 | #AddEncoding x-compress .Z 429 | #AddEncoding x-gzip .gz .tgz 430 | # 431 | # If the AddEncoding directives above are commented-out, then you 432 | # probably should define those extensions to indicate media types: 433 | # 434 | AddType application/x-compress .Z 435 | AddType application/x-gzip .gz .tgz 436 | 437 | # 438 | # AddHandler allows you to map certain file extensions to "handlers": 439 | # actions unrelated to filetype. These can be either built into the server 440 | # or added with the Action directive (see below) 441 | # 442 | # To use CGI scripts outside of ScriptAliased directories: 443 | # (You will also need to add "ExecCGI" to the "Options" directive.) 444 | # 445 | #AddHandler cgi-script .cgi 446 | 447 | # For type maps (negotiated resources): 448 | #AddHandler type-map var 449 | 450 | # 451 | # Filters allow you to process content before it is sent to the client. 452 | # 453 | # To parse .shtml files for server-side includes (SSI): 454 | # (You will also need to add "Includes" to the "Options" directive.) 455 | # 456 | #AddType text/html .shtml 457 | #AddOutputFilter INCLUDES .shtml 458 | 459 | 460 | # 461 | # The mod_mime_magic module allows the server to use various hints from the 462 | # contents of the file itself to determine its type. The MIMEMagicFile 463 | # directive tells the module where the hint definitions are located. 464 | # 465 | #MIMEMagicFile conf/magic 466 | 467 | # 468 | # Customizable error responses come in three flavors: 469 | # 1) plain text 2) local redirects 3) external redirects 470 | # 471 | # Some examples: 472 | #ErrorDocument 500 "The server made a boo boo." 473 | #ErrorDocument 404 /missing.html 474 | #ErrorDocument 404 "/cgi-bin/missing_handler.pl" 475 | #ErrorDocument 402 http://www.example.com/subscription_info.html 476 | # 477 | 478 | # 479 | # MaxRanges: Maximum number of Ranges in a request before 480 | # returning the entire resource, or one of the special 481 | # values 'default', 'none' or 'unlimited'. 482 | # Default setting is to accept 200 Ranges. 483 | #MaxRanges unlimited 484 | 485 | # 486 | # EnableMMAP and EnableSendfile: On systems that support it, 487 | # memory-mapping or the sendfile syscall may be used to deliver 488 | # files. This usually improves server performance, but must 489 | # be turned off when serving from networked-mounted 490 | # filesystems or if support for these functions is otherwise 491 | # broken on your system. 492 | # Defaults: EnableMMAP On, EnableSendfile Off 493 | # 494 | #EnableMMAP off 495 | #EnableSendfile on 496 | 497 | # Supplemental configuration 498 | # 499 | # The configuration files in the conf/extra/ directory can be 500 | # included to add extra features or to modify the default configuration of 501 | # the server, or you may simply copy their contents here and change as 502 | # necessary. 503 | 504 | # Server-pool management (MPM specific) 505 | #Include conf/extra/httpd-mpm.conf 506 | 507 | # Multi-language error messages 508 | #Include conf/extra/httpd-multilang-errordoc.conf 509 | 510 | # Fancy directory listings 511 | #Include conf/extra/httpd-autoindex.conf 512 | 513 | # Language settings 514 | #Include conf/extra/httpd-languages.conf 515 | 516 | # User home directories 517 | #Include conf/extra/httpd-userdir.conf 518 | 519 | # Real-time info on requests and configuration 520 | #Include conf/extra/httpd-info.conf 521 | 522 | # Virtual hosts 523 | #Include conf/extra/httpd-vhosts.conf 524 | 525 | # Local access to the Apache HTTP Server Manual 526 | #Include conf/extra/httpd-manual.conf 527 | 528 | # Distributed authoring and versioning (WebDAV) 529 | #Include conf/extra/httpd-dav.conf 530 | 531 | # Various default settings 532 | #Include conf/extra/httpd-default.conf 533 | 534 | # Configure mod_proxy_html to understand HTML4/XHTML1 535 | 536 | Include conf/extra/proxy-html.conf 537 | 538 | 539 | # Secure (SSL/TLS) connections 540 | # Include conf/extra/httpd-ssl.conf 541 | # 542 | # Note: The following must must be present to support 543 | # starting without SSL on platforms with no /dev/random equivalent 544 | # but a statically compiled-in mod_ssl. 545 | # 546 | 547 | SSLRandomSeed startup builtin 548 | SSLRandomSeed connect builtin 549 | 550 | 551 | # To Load Customer VirtualHost Configuration files 552 | IncludeOptional conf/sites/*.conf 553 | -------------------------------------------------------------------------------- /mod_proxy/demo1/httpd_mod_proxy/site.conf: -------------------------------------------------------------------------------- 1 | Listen 443 2 | 3 | 4 | 5 | ServerName chybeta4.httpd 6 | ServerAlias chybeta4.httpd 7 | ServerAdmin chybet4@gmail.com 8 | 9 | H2Direct on 10 | 11 | Protocols h2 h2c http/1.1 12 | 13 | #Load the SSL module that is needed to terminate SSL on Apache 14 | LoadModule ssl_module modules/mod_ssl.so 15 | 16 | #This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. Without this you cannot use HTTPS URL as your Origin Server 17 | SSLProxyEngine on 18 | SSLProtocol all -SSLv2 -SSLv3 19 | SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK 20 | SSLCertificateFile /usr/local/apache2/conf/server.crt 21 | SSLCertificateKeyFile /usr/local/apache2/conf/server.key 22 | # To prevent SSL Offloading 23 | # Set the X-Forwarded-Proto to be https for your Origin Server to understand that this request is made over HTTPS #https://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader. 24 | RequestHeader set X-Forwarded-Proto "https" 25 | RequestHeader set X-Forwarded-Port "443" 26 | 27 | ProxyPassMatch "/backend/private" ! 28 | ProxyPass "/backend" http://backend_server1:5000 29 | 30 | 31 | -------------------------------------------------------------------------------- /mod_proxy/demo1/httpd_mod_proxy/ssl.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDXTCCAkWgAwIBAgIJAKJAvEqSewQHMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV 3 | BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX 4 | aWRnaXRzIFB0eSBMdGQwHhcNMjEwOTE3MDcyMzEyWhcNMjIwOTE3MDcyMzEyWjBF 5 | MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 6 | ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB 7 | CgKCAQEAp+vbQ6kkTEy3lsC7m5mA2wgWW3X0w0MVHlMtP/CVw+yCsjR6VYb89An1 8 | idmdNsrJSXyaPvGarWdBVY9ioO9RB4S7yTpWeuvU5JAFX+aKQOIYuzRYKtDuj65k 9 | Bb/NdTR1fQPf3K+uyP7UGEWD3l6cSgRiaUimqCX8lzUhCl/Wu+jTXWP6RmSah/qz 10 | 7y8gssZ7hiNH1BiinlaqtRXwdHN7aHYNS+2WI36IPJopAxvwNTAcEa0yhUdouau3 11 | 1cZC9KMVE8tRvKYk3R9y77cYHzIeJefvkH2poN8mYKP8Waq3+QAVunTfoqzUzC7j 12 | lhXAfmYdYZw/RFPtFtMEOwL36lk01wIDAQABo1AwTjAdBgNVHQ4EFgQUSvz1k2ES 13 | V2WnD0/OEck8xAl3NEQwHwYDVR0jBBgwFoAUSvz1k2ESV2WnD0/OEck8xAl3NEQw 14 | DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAOsGr3OB26EEXkxxpEga7 15 | E4HAm1l4qYAhPqLwvXXaVUJfaS0tNm/4Q6atgmRb7qgch1SnFVqHS28X6gnG/MNB 16 | j+0beWWsQO5hzllSeJb4uyDVaetRE3trBim1TGKbIXcw+FIQZSoUpIaAGujlSMqa 17 | ft6UrBMm6DiXLsGAFR++quA5KD55V9omhDZOlyckrr4eLfTGkI3u1cndGazXxYBE 18 | d5a9QwPUFqRajIZxxpdUDqQYn0M7GGgwpxEt8b7N0O1RlpfqlDvx6hogW4lqEJ0j 19 | 12DUwEJQTw7a/6RA5fZ4+8DmNcH8O0HWYBMyAV/JX2C5DIBdJNAXHe5UnUw79aiB 20 | 3w== 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /mod_proxy/demo1/httpd_mod_proxy/ssl.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCn69tDqSRMTLeW 3 | wLubmYDbCBZbdfTDQxUeUy0/8JXD7IKyNHpVhvz0CfWJ2Z02yslJfJo+8ZqtZ0FV 4 | j2Kg71EHhLvJOlZ669TkkAVf5opA4hi7NFgq0O6PrmQFv811NHV9A9/cr67I/tQY 5 | RYPeXpxKBGJpSKaoJfyXNSEKX9a76NNdY/pGZJqH+rPvLyCyxnuGI0fUGKKeVqq1 6 | FfB0c3todg1L7ZYjfog8mikDG/A1MBwRrTKFR2i5q7fVxkL0oxUTy1G8piTdH3Lv 7 | txgfMh4l5++Qfamg3yZgo/xZqrf5ABW6dN+irNTMLuOWFcB+Zh1hnD9EU+0W0wQ7 8 | AvfqWTTXAgMBAAECggEAA/iyEOGZOCzAUtJwHXf98jA4xyT9Cvk1MKhq844vHJkl 9 | Zi2Tjx5IMUVjB0WcUEVviUtnIoH4VI2SoAFqJcBDPFhJULMOhI27VUSKu//p2Sr/ 10 | xr2wMCMM4V0QhIpKw7Df7nr++ms1SQ+t2H0cZ0/5hk6gPTk4p9VuKe1ZwLMPkxYe 11 | ybYTHNQbJ6IxolGlfspYKTQTQnvZcgYUgZLQOCkF1PJ9gBbfiSFww2noTb8WrK8I 12 | rblyQNhAMZi14PX/7D/aMymaRA141cFA02d5IEEU4gYEe9WPSJen98HmvQbcP3e4 13 | EXocssDiG6J5pyMDLBVmGPydDpj7U6ctsA2CRYCx8QKBgQDV5LVyycHhfaakYd6B 14 | cuFwTg8/7Ho5P6qUthS2xCQV+26n1yeXwV8PY79ivMVzQXBEdqLrpoEe5qpuciQm 15 | 4xk/Aw6i6epl+xMPARcEmyRE+MlgiK4Vf723JNQQjvNNTUhNR8AFrAn0ANhWcgr8 16 | H4f3Vnk2kzYAIUK/H+t0JlvO2wKBgQDI+lsm4ix4VxIeAGLSDA9/kTnxBSomVdT1 17 | WfS1EYzWZrMXEu+tH5Ee27d6BwQrEdtdQtLJTLBQyUa9t44k8jHlbETexuKTvQmm 18 | 4Qhe39l4NY8dbI1UWh8Hm/UqZl1bwIifnvCcYWZJa8dPGq7i6Nkp8ZWmDkLvKql7 19 | vGwGE3ActQKBgQCc5joby9gG2q8E4i3f8y9fvEL/dy5pFETC9ZXYQ6Tc4yVWxULr 20 | 1RMwLNFVUnfcheIeto/oIKmSy0212tCeHfSE/m8cHk6tJDHkzb3eyRcf6Qd/YoOg 21 | jaXS1Jci1lmvGMOyvLEk+AANFxmav+lC7LZGPw6HdBEmoz9dB8Ml3oV2BQKBgBVt 22 | /IIs46kBP8FLMT5MYuqrRY5ZiqEDze1LZjhYYrgJw1bWgg/nqcWsj+fHD7637LgJ 23 | BAjK0JIMpCpehB2UZZWc8cr/UfGG2pycqhPTspCKxXPRu1AfO+fHzWB0Achiwy6h 24 | 9+30xL9Xaq0Yn0U6ps0+IULPinuOBPxYnvwW3oFxAoGBALAibAsg/Q8mUPjeKm19 25 | DzcHYGYMiPAXDUkB2XEmCXaZHXa4lnEIK3UTPNyAvFJ7fb/aXtOL7abCYlGiUJm0 26 | fLJBJxCd5tQuDZ0DY/IcY9gvnxqmEiS7bL5vD2Er5Ty2AVqejBrI9tFFeaFwbYK2 27 | bTMaZY3JQ33lPQOHJ9/u57r3 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /mod_proxy/demo1/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /mod_proxy/demo1/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/mod_proxy/demo1/static/1.jpg -------------------------------------------------------------------------------- /mod_proxy/demo1/static/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/mod_proxy/demo1/static/2.jpg -------------------------------------------------------------------------------- /mod_proxy/demo1/static/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/mod_proxy/demo1/static/3.png -------------------------------------------------------------------------------- /mod_proxy/demo2/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | 规则 11 | ``` 12 | ProxyPass / http://www.baidu.com/ 13 | ProxyPassReverse / http://www.baidu.com/ 14 | ``` 15 | 16 | ![](static/1.jpg) 17 | 18 | 19 | 具体可参考 [Apache Module mod_proxy 场景绕过之一: SSRF CVE-2021-40438](https://t.zsxq.com/MFEyvBa) 20 | 21 | # Reference 22 | https://httpd.apache.org/security/vulnerabilities_24.html -------------------------------------------------------------------------------- /mod_proxy/demo2/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6.7 2 | 3 | RUN mkdir -p /backend 4 | COPY . /backend 5 | WORKDIR /backend 6 | 7 | RUN python3 -m pip install -r requirements.txt 8 | -------------------------------------------------------------------------------- /mod_proxy/demo2/backend/flask_backend.py: -------------------------------------------------------------------------------- 1 | import logging 2 | 3 | from flask import Flask 4 | 5 | app = Flask(__name__) 6 | 7 | 8 | @app.route('/', methods=['GET', 'POST']) 9 | def secret(): 10 | logging.info("hit secret.") 11 | return "ssrf test" 12 | 13 | 14 | if __name__ == "__main__": 15 | app.run(host="0.0.0.0", port=8085) -------------------------------------------------------------------------------- /mod_proxy/demo2/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | flask -------------------------------------------------------------------------------- /mod_proxy/demo2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | backend_server1: 5 | build: ./backend 6 | expose: 7 | - 8085 8 | command: python3 flask_backend.py 9 | 10 | httpd_mod_proxy: 11 | build: ./httpd_mod_proxy 12 | links: 13 | - backend_server1 14 | ports: 15 | - 80:80 16 | -------------------------------------------------------------------------------- /mod_proxy/demo2/httpd_mod_proxy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM httpd:2.4.47 2 | 3 | # to Copy a file named httpd.conf from present working directory to the /usr/local/apache2/conf inside the container 4 | # I have taken the Standard httpd.conf file and enabled the necassary modules and adding Support for an additional Directory 5 | COPY httpd.conf /usr/local/apache2/conf/httpd.conf 6 | COPY site.conf /usr/local/apache2/conf/sites/site.conf 7 | 8 | # This is the Additional Directory where we are going to keep our Virtualhost configuraiton files 9 | # You can use the image to create N number of different virtual hosts 10 | 11 | # To tell docker to expose this port 12 | EXPOSE 80 13 | 14 | # The Base command, This command should be used to start the container 15 | # Remember, A Container is a Process.As long as the base process (started by base cmd) is live the Container will be ALIVE. 16 | CMD ["httpd", "-D", "FOREGROUND"] -------------------------------------------------------------------------------- /mod_proxy/demo2/httpd_mod_proxy/httpd.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This is the main Apache HTTP server configuration file. It contains the 3 | # configuration directives that give the server its instructions. 4 | # See for detailed information. 5 | # In particular, see 6 | # 7 | # for a discussion of each configuration directive. 8 | # 9 | # Do NOT simply read the instructions in here without understanding 10 | # what they do. They're here only as hints or reminders. If you are unsure 11 | # consult the online docs. You have been warned. 12 | # 13 | # Configuration and logfile names: If the filenames you specify for many 14 | # of the server's control files begin with "/" (or "drive:/" for Win32), the 15 | # server will use that explicit path. If the filenames do *not* begin 16 | # with "/", the value of ServerRoot is prepended -- so "logs/access_log" 17 | # with ServerRoot set to "/usr/local/apache2" will be interpreted by the 18 | # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 19 | # will be interpreted as '/logs/access_log'. 20 | 21 | # 22 | # ServerRoot: The top of the directory tree under which the server's 23 | # configuration, error, and log files are kept. 24 | # 25 | # Do not add a slash at the end of the directory path. If you point 26 | # ServerRoot at a non-local disk, be sure to specify a local disk on the 27 | # Mutex directive, if file-based mutexes are used. If you wish to share the 28 | # same ServerRoot for multiple httpd daemons, you will need to change at 29 | # least PidFile. 30 | # 31 | ServerRoot "/usr/local/apache2" 32 | 33 | # 34 | # Mutex: Allows you to set the mutex mechanism and mutex file directory 35 | # for individual mutexes, or change the global defaults 36 | # 37 | # Uncomment and change the directory if mutexes are file-based and the default 38 | # mutex file directory is not on a local disk or is not appropriate for some 39 | # other reason. 40 | # 41 | # Mutex default:logs 42 | 43 | # 44 | # Listen: Allows you to bind Apache to specific IP addresses and/or 45 | # ports, instead of the default. See also the 46 | # directive. 47 | # 48 | # Change this to Listen on specific IP addresses as shown below to 49 | # prevent Apache from glomming onto all bound IP addresses. 50 | # 51 | #Listen 12.34.56.78:80 52 | Listen 80 53 | 54 | # 55 | # Dynamic Shared Object (DSO) Support 56 | # 57 | # To be able to use the functionality of a module which was built as a DSO you 58 | # have to place corresponding `LoadModule' lines at this location so the 59 | # directives contained in it are actually available _before_ they are used. 60 | # Statically compiled modules (those listed by `httpd -l') do not need 61 | # to be loaded here. 62 | # 63 | # Example: 64 | # LoadModule foo_module modules/mod_foo.so 65 | # 66 | LoadModule mpm_event_module modules/mod_mpm_event.so 67 | #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so 68 | #LoadModule mpm_worker_module modules/mod_mpm_worker.so 69 | LoadModule authn_file_module modules/mod_authn_file.so 70 | #LoadModule authn_dbm_module modules/mod_authn_dbm.so 71 | #LoadModule authn_anon_module modules/mod_authn_anon.so 72 | #LoadModule authn_dbd_module modules/mod_authn_dbd.so 73 | #LoadModule authn_socache_module modules/mod_authn_socache.so 74 | LoadModule authn_core_module modules/mod_authn_core.so 75 | LoadModule authz_host_module modules/mod_authz_host.so 76 | LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 77 | LoadModule authz_user_module modules/mod_authz_user.so 78 | #LoadModule authz_dbm_module modules/mod_authz_dbm.so 79 | #LoadModule authz_owner_module modules/mod_authz_owner.so 80 | #LoadModule authz_dbd_module modules/mod_authz_dbd.so 81 | LoadModule authz_core_module modules/mod_authz_core.so 82 | #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 83 | #LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so 84 | LoadModule access_compat_module modules/mod_access_compat.so 85 | LoadModule auth_basic_module modules/mod_auth_basic.so 86 | #LoadModule auth_form_module modules/mod_auth_form.so 87 | #LoadModule auth_digest_module modules/mod_auth_digest.so 88 | #LoadModule allowmethods_module modules/mod_allowmethods.so 89 | #LoadModule isapi_module modules/mod_isapi.so 90 | #LoadModule file_cache_module modules/mod_file_cache.so 91 | #LoadModule cache_module modules/mod_cache.so 92 | #LoadModule cache_disk_module modules/mod_cache_disk.so 93 | #LoadModule cache_socache_module modules/mod_cache_socache.so 94 | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 95 | #LoadModule socache_dbm_module modules/mod_socache_dbm.so 96 | #LoadModule socache_memcache_module modules/mod_socache_memcache.so 97 | #LoadModule socache_redis_module modules/mod_socache_redis.so 98 | LoadModule watchdog_module modules/mod_watchdog.so 99 | #LoadModule macro_module modules/mod_macro.so 100 | #LoadModule dbd_module modules/mod_dbd.so 101 | #LoadModule bucketeer_module modules/mod_bucketeer.so 102 | #LoadModule dumpio_module modules/mod_dumpio.so 103 | #LoadModule echo_module modules/mod_echo.so 104 | #LoadModule example_hooks_module modules/mod_example_hooks.so 105 | #LoadModule case_filter_module modules/mod_case_filter.so 106 | #LoadModule case_filter_in_module modules/mod_case_filter_in.so 107 | #LoadModule example_ipc_module modules/mod_example_ipc.so 108 | #LoadModule buffer_module modules/mod_buffer.so 109 | #LoadModule data_module modules/mod_data.so 110 | #LoadModule ratelimit_module modules/mod_ratelimit.so 111 | LoadModule reqtimeout_module modules/mod_reqtimeout.so 112 | #LoadModule ext_filter_module modules/mod_ext_filter.so 113 | #LoadModule request_module modules/mod_request.so 114 | #LoadModule include_module modules/mod_include.so 115 | LoadModule filter_module modules/mod_filter.so 116 | #LoadModule reflector_module modules/mod_reflector.so 117 | #LoadModule substitute_module modules/mod_substitute.so 118 | #LoadModule sed_module modules/mod_sed.so 119 | #LoadModule charset_lite_module modules/mod_charset_lite.so 120 | #LoadModule deflate_module modules/mod_deflate.so 121 | #LoadModule xml2enc_module modules/mod_xml2enc.so 122 | #LoadModule proxy_html_module modules/mod_proxy_html.so 123 | LoadModule mime_module modules/mod_mime.so 124 | #LoadModule ldap_module modules/mod_ldap.so 125 | LoadModule log_config_module modules/mod_log_config.so 126 | #LoadModule log_debug_module modules/mod_log_debug.so 127 | #LoadModule log_forensic_module modules/mod_log_forensic.so 128 | #LoadModule logio_module modules/mod_logio.so 129 | #LoadModule lua_module modules/mod_lua.so 130 | LoadModule env_module modules/mod_env.so 131 | #LoadModule mime_magic_module modules/mod_mime_magic.so 132 | #LoadModule cern_meta_module modules/mod_cern_meta.so 133 | #LoadModule expires_module modules/mod_expires.so 134 | LoadModule headers_module modules/mod_headers.so 135 | #LoadModule ident_module modules/mod_ident.so 136 | #LoadModule usertrack_module modules/mod_usertrack.so 137 | #LoadModule unique_id_module modules/mod_unique_id.so 138 | LoadModule setenvif_module modules/mod_setenvif.so 139 | LoadModule version_module modules/mod_version.so 140 | #LoadModule remoteip_module modules/mod_remoteip.so 141 | LoadModule proxy_module modules/mod_proxy.so 142 | # LoadModule proxy_connect_module modules/mod_proxy_connect.so 143 | # LoadModule proxy_ftp_module modules/mod_proxy_ftp.so 144 | LoadModule proxy_http_module modules/mod_proxy_http.so 145 | # LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so 146 | # LoadModule proxy_scgi_module modules/mod_proxy_scgi.so 147 | LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so 148 | # LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so 149 | # LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 150 | # LoadModule proxy_ajp_module modules/mod_proxy_ajp.so 151 | # LoadModule proxy_balancer_module modules/mod_proxy_balancer.so 152 | # LoadModule proxy_express_module modules/mod_proxy_express.so 153 | # LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so 154 | #LoadModule session_module modules/mod_session.so 155 | #LoadModule session_cookie_module modules/mod_session_cookie.so 156 | #LoadModule session_crypto_module modules/mod_session_crypto.so 157 | #LoadModule session_dbd_module modules/mod_session_dbd.so 158 | LoadModule slotmem_shm_module modules/mod_slotmem_shm.so 159 | #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so 160 | # LoadModule ssl_module modules/mod_ssl.so 161 | #LoadModule optional_hook_export_module modules/mod_optional_hook_export.so 162 | #LoadModule optional_hook_import_module modules/mod_optional_hook_import.so 163 | #LoadModule optional_fn_import_module modules/mod_optional_fn_import.so 164 | #LoadModule optional_fn_export_module modules/mod_optional_fn_export.so 165 | #LoadModule dialup_module modules/mod_dialup.so 166 | # LoadModule http2_module modules/mod_http2.so 167 | # LoadModule proxy_http2_module modules/mod_proxy_http2.so 168 | #LoadModule md_module modules/mod_md.so 169 | LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so 170 | LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so 171 | LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so 172 | LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so 173 | LoadModule unixd_module modules/mod_unixd.so 174 | #LoadModule heartbeat_module modules/mod_heartbeat.so 175 | #LoadModule heartmonitor_module modules/mod_heartmonitor.so 176 | #LoadModule dav_module modules/mod_dav.so 177 | LoadModule status_module modules/mod_status.so 178 | LoadModule autoindex_module modules/mod_autoindex.so 179 | #LoadModule asis_module modules/mod_asis.so 180 | #LoadModule info_module modules/mod_info.so 181 | #LoadModule suexec_module modules/mod_suexec.so 182 | 183 | #LoadModule cgid_module modules/mod_cgid.so 184 | 185 | 186 | #LoadModule cgi_module modules/mod_cgi.so 187 | 188 | #LoadModule dav_fs_module modules/mod_dav_fs.so 189 | #LoadModule dav_lock_module modules/mod_dav_lock.so 190 | #LoadModule vhost_alias_module modules/mod_vhost_alias.so 191 | #LoadModule negotiation_module modules/mod_negotiation.so 192 | LoadModule dir_module modules/mod_dir.so 193 | #LoadModule imagemap_module modules/mod_imagemap.so 194 | #LoadModule actions_module modules/mod_actions.so 195 | #LoadModule speling_module modules/mod_speling.so 196 | #LoadModule userdir_module modules/mod_userdir.so 197 | LoadModule alias_module modules/mod_alias.so 198 | #LoadModule rewrite_module modules/mod_rewrite.so 199 | 200 | 201 | # 202 | # If you wish httpd to run as a different user or group, you must run 203 | # httpd as root initially and it will switch. 204 | # 205 | # User/Group: The name (or #number) of the user/group to run httpd as. 206 | # It is usually good practice to create a dedicated user and group for 207 | # running httpd, as with most system services. 208 | # 209 | User daemon 210 | Group daemon 211 | 212 | 213 | 214 | # 'Main' server configuration 215 | # 216 | # The directives in this section set up the values used by the 'main' 217 | # server, which responds to any requests that aren't handled by a 218 | # definition. These values also provide defaults for 219 | # any containers you may define later in the file. 220 | # 221 | # All of these directives may appear inside containers, 222 | # in which case these default settings will be overridden for the 223 | # virtual host being defined. 224 | # 225 | 226 | # 227 | # ServerAdmin: Your address, where problems with the server should be 228 | # e-mailed. This address appears on some server-generated pages, such 229 | # as error documents. e.g. admin@your-domain.com 230 | # 231 | ServerAdmin you@example.com 232 | 233 | # 234 | # ServerName gives the name and port that the server uses to identify itself. 235 | # This can often be determined automatically, but we recommend you specify 236 | # it explicitly to prevent problems during startup. 237 | # 238 | # If your host doesn't have a registered DNS name, enter its IP address here. 239 | # 240 | #ServerName www.example.com:80 241 | 242 | # 243 | # Deny access to the entirety of your server's filesystem. You must 244 | # explicitly permit access to web content directories in other 245 | # blocks below. 246 | # 247 | 248 | AllowOverride none 249 | Require all denied 250 | 251 | 252 | # 253 | # Note that from this point forward you must specifically allow 254 | # particular features to be enabled - so if something's not working as 255 | # you might expect, make sure that you have specifically enabled it 256 | # below. 257 | # 258 | 259 | # 260 | # DocumentRoot: The directory out of which you will serve your 261 | # documents. By default, all requests are taken from this directory, but 262 | # symbolic links and aliases may be used to point to other locations. 263 | # 264 | DocumentRoot "/usr/local/apache2/htdocs" 265 | 266 | # 267 | # Possible values for the Options directive are "None", "All", 268 | # or any combination of: 269 | # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews 270 | # 271 | # Note that "MultiViews" must be named *explicitly* --- "Options All" 272 | # doesn't give it to you. 273 | # 274 | # The Options directive is both complicated and important. Please see 275 | # http://httpd.apache.org/docs/2.4/mod/core.html#options 276 | # for more information. 277 | # 278 | Options Indexes FollowSymLinks 279 | 280 | # 281 | # AllowOverride controls what directives may be placed in .htaccess files. 282 | # It can be "All", "None", or any combination of the keywords: 283 | # AllowOverride FileInfo AuthConfig Limit 284 | # 285 | AllowOverride None 286 | 287 | # 288 | # Controls who can get stuff from this server. 289 | # 290 | Require all granted 291 | 292 | 293 | # 294 | # DirectoryIndex: sets the file that Apache will serve if a directory 295 | # is requested. 296 | # 297 | 298 | DirectoryIndex index.html 299 | 300 | 301 | # 302 | # The following lines prevent .htaccess and .htpasswd files from being 303 | # viewed by Web clients. 304 | # 305 | 306 | Require all denied 307 | 308 | 309 | # 310 | # ErrorLog: The location of the error log file. 311 | # If you do not specify an ErrorLog directive within a 312 | # container, error messages relating to that virtual host will be 313 | # logged here. If you *do* define an error logfile for a 314 | # container, that host's errors will be logged there and not here. 315 | # 316 | ErrorLog /proc/self/fd/2 317 | 318 | # 319 | # LogLevel: Control the number of messages logged to the error_log. 320 | # Possible values include: debug, info, notice, warn, error, crit, 321 | # alert, emerg. 322 | # 323 | LogLevel warn 324 | 325 | 326 | # 327 | # The following directives define some format nicknames for use with 328 | # a CustomLog directive (see below). 329 | # 330 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 331 | LogFormat "%h %l %u %t \"%r\" %>s %b" common 332 | 333 | 334 | # You need to enable mod_logio.c to use %I and %O 335 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio 336 | 337 | 338 | # 339 | # The location and format of the access logfile (Common Logfile Format). 340 | # If you do not define any access logfiles within a 341 | # container, they will be logged here. Contrariwise, if you *do* 342 | # define per- access logfiles, transactions will be 343 | # logged therein and *not* in this file. 344 | # 345 | CustomLog /proc/self/fd/1 common 346 | 347 | # 348 | # If you prefer a logfile with access, agent, and referer information 349 | # (Combined Logfile Format) you can use the following directive. 350 | # 351 | #CustomLog "logs/access_log" combined 352 | 353 | 354 | 355 | # 356 | # Redirect: Allows you to tell clients about documents that used to 357 | # exist in your server's namespace, but do not anymore. The client 358 | # will make a new request for the document at its new location. 359 | # Example: 360 | # Redirect permanent /foo http://www.example.com/bar 361 | 362 | # 363 | # Alias: Maps web paths into filesystem paths and is used to 364 | # access content that does not live under the DocumentRoot. 365 | # Example: 366 | # Alias /webpath /full/filesystem/path 367 | # 368 | # If you include a trailing / on /webpath then the server will 369 | # require it to be present in the URL. You will also likely 370 | # need to provide a section to allow access to 371 | # the filesystem path. 372 | 373 | # 374 | # ScriptAlias: This controls which directories contain server scripts. 375 | # ScriptAliases are essentially the same as Aliases, except that 376 | # documents in the target directory are treated as applications and 377 | # run by the server when requested rather than as documents sent to the 378 | # client. The same rules about trailing "/" apply to ScriptAlias 379 | # directives as to Alias. 380 | # 381 | ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" 382 | 383 | 384 | 385 | 386 | # 387 | # ScriptSock: On threaded servers, designate the path to the UNIX 388 | # socket used to communicate with the CGI daemon of mod_cgid. 389 | # 390 | #Scriptsock cgisock 391 | 392 | 393 | # 394 | # "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased 395 | # CGI directory exists, if you have that configured. 396 | # 397 | 398 | AllowOverride None 399 | Options None 400 | Require all granted 401 | 402 | 403 | 404 | # 405 | # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied 406 | # backend servers which have lingering "httpoxy" defects. 407 | # 'Proxy' request header is undefined by the IETF, not listed by IANA 408 | # 409 | RequestHeader unset Proxy early 410 | 411 | 412 | 413 | # 414 | # TypesConfig points to the file containing the list of mappings from 415 | # filename extension to MIME-type. 416 | # 417 | TypesConfig conf/mime.types 418 | 419 | # 420 | # AddType allows you to add to or override the MIME configuration 421 | # file specified in TypesConfig for specific file types. 422 | # 423 | #AddType application/x-gzip .tgz 424 | # 425 | # AddEncoding allows you to have certain browsers uncompress 426 | # information on the fly. Note: Not all browsers support this. 427 | # 428 | #AddEncoding x-compress .Z 429 | #AddEncoding x-gzip .gz .tgz 430 | # 431 | # If the AddEncoding directives above are commented-out, then you 432 | # probably should define those extensions to indicate media types: 433 | # 434 | AddType application/x-compress .Z 435 | AddType application/x-gzip .gz .tgz 436 | 437 | # 438 | # AddHandler allows you to map certain file extensions to "handlers": 439 | # actions unrelated to filetype. These can be either built into the server 440 | # or added with the Action directive (see below) 441 | # 442 | # To use CGI scripts outside of ScriptAliased directories: 443 | # (You will also need to add "ExecCGI" to the "Options" directive.) 444 | # 445 | #AddHandler cgi-script .cgi 446 | 447 | # For type maps (negotiated resources): 448 | #AddHandler type-map var 449 | 450 | # 451 | # Filters allow you to process content before it is sent to the client. 452 | # 453 | # To parse .shtml files for server-side includes (SSI): 454 | # (You will also need to add "Includes" to the "Options" directive.) 455 | # 456 | #AddType text/html .shtml 457 | #AddOutputFilter INCLUDES .shtml 458 | 459 | 460 | # 461 | # The mod_mime_magic module allows the server to use various hints from the 462 | # contents of the file itself to determine its type. The MIMEMagicFile 463 | # directive tells the module where the hint definitions are located. 464 | # 465 | #MIMEMagicFile conf/magic 466 | 467 | # 468 | # Customizable error responses come in three flavors: 469 | # 1) plain text 2) local redirects 3) external redirects 470 | # 471 | # Some examples: 472 | #ErrorDocument 500 "The server made a boo boo." 473 | #ErrorDocument 404 /missing.html 474 | #ErrorDocument 404 "/cgi-bin/missing_handler.pl" 475 | #ErrorDocument 402 http://www.example.com/subscription_info.html 476 | # 477 | 478 | # 479 | # MaxRanges: Maximum number of Ranges in a request before 480 | # returning the entire resource, or one of the special 481 | # values 'default', 'none' or 'unlimited'. 482 | # Default setting is to accept 200 Ranges. 483 | #MaxRanges unlimited 484 | 485 | # 486 | # EnableMMAP and EnableSendfile: On systems that support it, 487 | # memory-mapping or the sendfile syscall may be used to deliver 488 | # files. This usually improves server performance, but must 489 | # be turned off when serving from networked-mounted 490 | # filesystems or if support for these functions is otherwise 491 | # broken on your system. 492 | # Defaults: EnableMMAP On, EnableSendfile Off 493 | # 494 | #EnableMMAP off 495 | #EnableSendfile on 496 | 497 | # Supplemental configuration 498 | # 499 | # The configuration files in the conf/extra/ directory can be 500 | # included to add extra features or to modify the default configuration of 501 | # the server, or you may simply copy their contents here and change as 502 | # necessary. 503 | 504 | # Server-pool management (MPM specific) 505 | #Include conf/extra/httpd-mpm.conf 506 | 507 | # Multi-language error messages 508 | #Include conf/extra/httpd-multilang-errordoc.conf 509 | 510 | # Fancy directory listings 511 | #Include conf/extra/httpd-autoindex.conf 512 | 513 | # Language settings 514 | #Include conf/extra/httpd-languages.conf 515 | 516 | # User home directories 517 | #Include conf/extra/httpd-userdir.conf 518 | 519 | # Real-time info on requests and configuration 520 | #Include conf/extra/httpd-info.conf 521 | 522 | # Virtual hosts 523 | #Include conf/extra/httpd-vhosts.conf 524 | 525 | # Local access to the Apache HTTP Server Manual 526 | #Include conf/extra/httpd-manual.conf 527 | 528 | # Distributed authoring and versioning (WebDAV) 529 | #Include conf/extra/httpd-dav.conf 530 | 531 | # Various default settings 532 | #Include conf/extra/httpd-default.conf 533 | 534 | # Configure mod_proxy_html to understand HTML4/XHTML1 535 | 536 | Include conf/extra/proxy-html.conf 537 | 538 | 539 | # Secure (SSL/TLS) connections 540 | # Include conf/extra/httpd-ssl.conf 541 | # 542 | # Note: The following must must be present to support 543 | # starting without SSL on platforms with no /dev/random equivalent 544 | # but a statically compiled-in mod_ssl. 545 | # 546 | 547 | SSLRandomSeed startup builtin 548 | SSLRandomSeed connect builtin 549 | 550 | 551 | # To Load Customer VirtualHost Configuration files 552 | IncludeOptional conf/sites/*.conf 553 | -------------------------------------------------------------------------------- /mod_proxy/demo2/httpd_mod_proxy/index.html: -------------------------------------------------------------------------------- 1 |

Hello, World!

2 | -------------------------------------------------------------------------------- /mod_proxy/demo2/httpd_mod_proxy/site.conf: -------------------------------------------------------------------------------- 1 | 2 | ServerName chybeta4.httpd 3 | ServerAlias chybeta4.httpd 4 | ServerAdmin chybet4@gmail.com 5 | Protocols http/1.1 6 | LogLevel trace8 7 | ProxyPass / http://www.baidu.com/ 8 | ProxyPassReverse / http://www.baidu.com/ 9 | 10 | 11 | -------------------------------------------------------------------------------- /mod_proxy/demo2/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /mod_proxy/demo2/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/mod_proxy/demo2/static/1.jpg -------------------------------------------------------------------------------- /mod_proxy/demo3/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | ![](static/2.png) 11 | 12 | 13 | 14 | ![](static/1.png) 15 | 16 | 17 | 具体可参考 [Apache Module mod_proxy 场景绕过之三: CVE-2022-31813](https://articles.zsxq.com/id_c78wzuqs2pgm.html) 18 | 19 | # Reference 20 | https://httpd.apache.org/security/vulnerabilities_24.html -------------------------------------------------------------------------------- /mod_proxy/demo3/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6.7 2 | 3 | RUN mkdir -p /backend 4 | COPY . /backend 5 | WORKDIR /backend 6 | 7 | RUN python3 -m pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple 8 | -------------------------------------------------------------------------------- /mod_proxy/demo3/backend/flask_backend.py: -------------------------------------------------------------------------------- 1 | from flask import Flask 2 | from flask import request 3 | import json 4 | import logging 5 | 6 | 7 | app = Flask(__name__) 8 | 9 | 10 | @app.route('/', methods=['GET']) 11 | def index(): 12 | headers = request.headers 13 | return "Request headers:\n" + str(headers) 14 | 15 | 16 | if __name__ == "__main__": 17 | app.run(host="0.0.0.0", port=8085) 18 | -------------------------------------------------------------------------------- /mod_proxy/demo3/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | flask -------------------------------------------------------------------------------- /mod_proxy/demo3/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | backend_server1: 5 | build: ./backend 6 | expose: 7 | - 8085 8 | command: python3 flask_backend.py 9 | 10 | httpd_mod_proxy: 11 | build: ./httpd_mod_proxy 12 | links: 13 | - backend_server1 14 | ports: 15 | - 80:80 16 | -------------------------------------------------------------------------------- /mod_proxy/demo3/httpd_mod_proxy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM httpd:2.4.53 2 | 3 | # to Copy a file named httpd.conf from present working directory to the /usr/local/apache2/conf inside the container 4 | # I have taken the Standard httpd.conf file and enabled the necassary modules and adding Support for an additional Directory 5 | COPY httpd.conf /usr/local/apache2/conf/httpd.conf 6 | COPY site.conf /usr/local/apache2/conf/sites/site.conf 7 | 8 | # This is the Additional Directory where we are going to keep our Virtualhost configuraiton files 9 | # You can use the image to create N number of different virtual hosts 10 | 11 | # To tell docker to expose this port 12 | EXPOSE 80 13 | 14 | # The Base command, This command should be used to start the container 15 | # Remember, A Container is a Process.As long as the base process (started by base cmd) is live the Container will be ALIVE. 16 | CMD ["httpd", "-D", "FOREGROUND"] -------------------------------------------------------------------------------- /mod_proxy/demo3/httpd_mod_proxy/httpd.conf: -------------------------------------------------------------------------------- 1 | # 2 | # This is the main Apache HTTP server configuration file. It contains the 3 | # configuration directives that give the server its instructions. 4 | # See for detailed information. 5 | # In particular, see 6 | # 7 | # for a discussion of each configuration directive. 8 | # 9 | # Do NOT simply read the instructions in here without understanding 10 | # what they do. They're here only as hints or reminders. If you are unsure 11 | # consult the online docs. You have been warned. 12 | # 13 | # Configuration and logfile names: If the filenames you specify for many 14 | # of the server's control files begin with "/" (or "drive:/" for Win32), the 15 | # server will use that explicit path. If the filenames do *not* begin 16 | # with "/", the value of ServerRoot is prepended -- so "logs/access_log" 17 | # with ServerRoot set to "/usr/local/apache2" will be interpreted by the 18 | # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 19 | # will be interpreted as '/logs/access_log'. 20 | 21 | # 22 | # ServerRoot: The top of the directory tree under which the server's 23 | # configuration, error, and log files are kept. 24 | # 25 | # Do not add a slash at the end of the directory path. If you point 26 | # ServerRoot at a non-local disk, be sure to specify a local disk on the 27 | # Mutex directive, if file-based mutexes are used. If you wish to share the 28 | # same ServerRoot for multiple httpd daemons, you will need to change at 29 | # least PidFile. 30 | # 31 | ServerRoot "/usr/local/apache2" 32 | 33 | # 34 | # Mutex: Allows you to set the mutex mechanism and mutex file directory 35 | # for individual mutexes, or change the global defaults 36 | # 37 | # Uncomment and change the directory if mutexes are file-based and the default 38 | # mutex file directory is not on a local disk or is not appropriate for some 39 | # other reason. 40 | # 41 | # Mutex default:logs 42 | 43 | # 44 | # Listen: Allows you to bind Apache to specific IP addresses and/or 45 | # ports, instead of the default. See also the 46 | # directive. 47 | # 48 | # Change this to Listen on specific IP addresses as shown below to 49 | # prevent Apache from glomming onto all bound IP addresses. 50 | # 51 | #Listen 12.34.56.78:80 52 | Listen 80 53 | 54 | # 55 | # Dynamic Shared Object (DSO) Support 56 | # 57 | # To be able to use the functionality of a module which was built as a DSO you 58 | # have to place corresponding `LoadModule' lines at this location so the 59 | # directives contained in it are actually available _before_ they are used. 60 | # Statically compiled modules (those listed by `httpd -l') do not need 61 | # to be loaded here. 62 | # 63 | # Example: 64 | # LoadModule foo_module modules/mod_foo.so 65 | # 66 | LoadModule mpm_event_module modules/mod_mpm_event.so 67 | #LoadModule mpm_prefork_module modules/mod_mpm_prefork.so 68 | #LoadModule mpm_worker_module modules/mod_mpm_worker.so 69 | LoadModule authn_file_module modules/mod_authn_file.so 70 | #LoadModule authn_dbm_module modules/mod_authn_dbm.so 71 | #LoadModule authn_anon_module modules/mod_authn_anon.so 72 | #LoadModule authn_dbd_module modules/mod_authn_dbd.so 73 | #LoadModule authn_socache_module modules/mod_authn_socache.so 74 | LoadModule authn_core_module modules/mod_authn_core.so 75 | LoadModule authz_host_module modules/mod_authz_host.so 76 | LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 77 | LoadModule authz_user_module modules/mod_authz_user.so 78 | #LoadModule authz_dbm_module modules/mod_authz_dbm.so 79 | #LoadModule authz_owner_module modules/mod_authz_owner.so 80 | #LoadModule authz_dbd_module modules/mod_authz_dbd.so 81 | LoadModule authz_core_module modules/mod_authz_core.so 82 | #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 83 | #LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so 84 | LoadModule access_compat_module modules/mod_access_compat.so 85 | LoadModule auth_basic_module modules/mod_auth_basic.so 86 | #LoadModule auth_form_module modules/mod_auth_form.so 87 | #LoadModule auth_digest_module modules/mod_auth_digest.so 88 | #LoadModule allowmethods_module modules/mod_allowmethods.so 89 | #LoadModule isapi_module modules/mod_isapi.so 90 | #LoadModule file_cache_module modules/mod_file_cache.so 91 | #LoadModule cache_module modules/mod_cache.so 92 | #LoadModule cache_disk_module modules/mod_cache_disk.so 93 | #LoadModule cache_socache_module modules/mod_cache_socache.so 94 | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 95 | #LoadModule socache_dbm_module modules/mod_socache_dbm.so 96 | #LoadModule socache_memcache_module modules/mod_socache_memcache.so 97 | #LoadModule socache_redis_module modules/mod_socache_redis.so 98 | LoadModule watchdog_module modules/mod_watchdog.so 99 | #LoadModule macro_module modules/mod_macro.so 100 | #LoadModule dbd_module modules/mod_dbd.so 101 | #LoadModule bucketeer_module modules/mod_bucketeer.so 102 | #LoadModule dumpio_module modules/mod_dumpio.so 103 | #LoadModule echo_module modules/mod_echo.so 104 | #LoadModule example_hooks_module modules/mod_example_hooks.so 105 | #LoadModule case_filter_module modules/mod_case_filter.so 106 | #LoadModule case_filter_in_module modules/mod_case_filter_in.so 107 | #LoadModule example_ipc_module modules/mod_example_ipc.so 108 | #LoadModule buffer_module modules/mod_buffer.so 109 | #LoadModule data_module modules/mod_data.so 110 | #LoadModule ratelimit_module modules/mod_ratelimit.so 111 | LoadModule reqtimeout_module modules/mod_reqtimeout.so 112 | #LoadModule ext_filter_module modules/mod_ext_filter.so 113 | #LoadModule request_module modules/mod_request.so 114 | #LoadModule include_module modules/mod_include.so 115 | LoadModule filter_module modules/mod_filter.so 116 | #LoadModule reflector_module modules/mod_reflector.so 117 | #LoadModule substitute_module modules/mod_substitute.so 118 | #LoadModule sed_module modules/mod_sed.so 119 | #LoadModule charset_lite_module modules/mod_charset_lite.so 120 | #LoadModule deflate_module modules/mod_deflate.so 121 | #LoadModule xml2enc_module modules/mod_xml2enc.so 122 | #LoadModule proxy_html_module modules/mod_proxy_html.so 123 | LoadModule mime_module modules/mod_mime.so 124 | #LoadModule ldap_module modules/mod_ldap.so 125 | LoadModule log_config_module modules/mod_log_config.so 126 | #LoadModule log_debug_module modules/mod_log_debug.so 127 | #LoadModule log_forensic_module modules/mod_log_forensic.so 128 | #LoadModule logio_module modules/mod_logio.so 129 | #LoadModule lua_module modules/mod_lua.so 130 | LoadModule env_module modules/mod_env.so 131 | #LoadModule mime_magic_module modules/mod_mime_magic.so 132 | #LoadModule cern_meta_module modules/mod_cern_meta.so 133 | #LoadModule expires_module modules/mod_expires.so 134 | LoadModule headers_module modules/mod_headers.so 135 | #LoadModule ident_module modules/mod_ident.so 136 | #LoadModule usertrack_module modules/mod_usertrack.so 137 | #LoadModule unique_id_module modules/mod_unique_id.so 138 | LoadModule setenvif_module modules/mod_setenvif.so 139 | LoadModule version_module modules/mod_version.so 140 | #LoadModule remoteip_module modules/mod_remoteip.so 141 | LoadModule proxy_module modules/mod_proxy.so 142 | # LoadModule proxy_connect_module modules/mod_proxy_connect.so 143 | # LoadModule proxy_ftp_module modules/mod_proxy_ftp.so 144 | LoadModule proxy_http_module modules/mod_proxy_http.so 145 | # LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so 146 | # LoadModule proxy_scgi_module modules/mod_proxy_scgi.so 147 | LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so 148 | # LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so 149 | # LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so 150 | # LoadModule proxy_ajp_module modules/mod_proxy_ajp.so 151 | # LoadModule proxy_balancer_module modules/mod_proxy_balancer.so 152 | # LoadModule proxy_express_module modules/mod_proxy_express.so 153 | # LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so 154 | #LoadModule session_module modules/mod_session.so 155 | #LoadModule session_cookie_module modules/mod_session_cookie.so 156 | #LoadModule session_crypto_module modules/mod_session_crypto.so 157 | #LoadModule session_dbd_module modules/mod_session_dbd.so 158 | LoadModule slotmem_shm_module modules/mod_slotmem_shm.so 159 | #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so 160 | # LoadModule ssl_module modules/mod_ssl.so 161 | #LoadModule optional_hook_export_module modules/mod_optional_hook_export.so 162 | #LoadModule optional_hook_import_module modules/mod_optional_hook_import.so 163 | #LoadModule optional_fn_import_module modules/mod_optional_fn_import.so 164 | #LoadModule optional_fn_export_module modules/mod_optional_fn_export.so 165 | #LoadModule dialup_module modules/mod_dialup.so 166 | # LoadModule http2_module modules/mod_http2.so 167 | # LoadModule proxy_http2_module modules/mod_proxy_http2.so 168 | #LoadModule md_module modules/mod_md.so 169 | LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so 170 | LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so 171 | LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so 172 | LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so 173 | LoadModule unixd_module modules/mod_unixd.so 174 | #LoadModule heartbeat_module modules/mod_heartbeat.so 175 | #LoadModule heartmonitor_module modules/mod_heartmonitor.so 176 | #LoadModule dav_module modules/mod_dav.so 177 | LoadModule status_module modules/mod_status.so 178 | LoadModule autoindex_module modules/mod_autoindex.so 179 | #LoadModule asis_module modules/mod_asis.so 180 | #LoadModule info_module modules/mod_info.so 181 | #LoadModule suexec_module modules/mod_suexec.so 182 | 183 | #LoadModule cgid_module modules/mod_cgid.so 184 | 185 | 186 | #LoadModule cgi_module modules/mod_cgi.so 187 | 188 | #LoadModule dav_fs_module modules/mod_dav_fs.so 189 | #LoadModule dav_lock_module modules/mod_dav_lock.so 190 | #LoadModule vhost_alias_module modules/mod_vhost_alias.so 191 | #LoadModule negotiation_module modules/mod_negotiation.so 192 | LoadModule dir_module modules/mod_dir.so 193 | #LoadModule imagemap_module modules/mod_imagemap.so 194 | #LoadModule actions_module modules/mod_actions.so 195 | #LoadModule speling_module modules/mod_speling.so 196 | #LoadModule userdir_module modules/mod_userdir.so 197 | LoadModule alias_module modules/mod_alias.so 198 | #LoadModule rewrite_module modules/mod_rewrite.so 199 | 200 | 201 | # 202 | # If you wish httpd to run as a different user or group, you must run 203 | # httpd as root initially and it will switch. 204 | # 205 | # User/Group: The name (or #number) of the user/group to run httpd as. 206 | # It is usually good practice to create a dedicated user and group for 207 | # running httpd, as with most system services. 208 | # 209 | User daemon 210 | Group daemon 211 | 212 | 213 | 214 | # 'Main' server configuration 215 | # 216 | # The directives in this section set up the values used by the 'main' 217 | # server, which responds to any requests that aren't handled by a 218 | # definition. These values also provide defaults for 219 | # any containers you may define later in the file. 220 | # 221 | # All of these directives may appear inside containers, 222 | # in which case these default settings will be overridden for the 223 | # virtual host being defined. 224 | # 225 | 226 | # 227 | # ServerAdmin: Your address, where problems with the server should be 228 | # e-mailed. This address appears on some server-generated pages, such 229 | # as error documents. e.g. admin@your-domain.com 230 | # 231 | ServerAdmin you@example.com 232 | 233 | # 234 | # ServerName gives the name and port that the server uses to identify itself. 235 | # This can often be determined automatically, but we recommend you specify 236 | # it explicitly to prevent problems during startup. 237 | # 238 | # If your host doesn't have a registered DNS name, enter its IP address here. 239 | # 240 | #ServerName www.example.com:80 241 | 242 | # 243 | # Deny access to the entirety of your server's filesystem. You must 244 | # explicitly permit access to web content directories in other 245 | # blocks below. 246 | # 247 | 248 | AllowOverride none 249 | Require all denied 250 | 251 | 252 | # 253 | # Note that from this point forward you must specifically allow 254 | # particular features to be enabled - so if something's not working as 255 | # you might expect, make sure that you have specifically enabled it 256 | # below. 257 | # 258 | 259 | # 260 | # DocumentRoot: The directory out of which you will serve your 261 | # documents. By default, all requests are taken from this directory, but 262 | # symbolic links and aliases may be used to point to other locations. 263 | # 264 | DocumentRoot "/usr/local/apache2/htdocs" 265 | 266 | # 267 | # Possible values for the Options directive are "None", "All", 268 | # or any combination of: 269 | # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews 270 | # 271 | # Note that "MultiViews" must be named *explicitly* --- "Options All" 272 | # doesn't give it to you. 273 | # 274 | # The Options directive is both complicated and important. Please see 275 | # http://httpd.apache.org/docs/2.4/mod/core.html#options 276 | # for more information. 277 | # 278 | Options Indexes FollowSymLinks 279 | 280 | # 281 | # AllowOverride controls what directives may be placed in .htaccess files. 282 | # It can be "All", "None", or any combination of the keywords: 283 | # AllowOverride FileInfo AuthConfig Limit 284 | # 285 | AllowOverride None 286 | 287 | # 288 | # Controls who can get stuff from this server. 289 | # 290 | Require all granted 291 | 292 | 293 | # 294 | # DirectoryIndex: sets the file that Apache will serve if a directory 295 | # is requested. 296 | # 297 | 298 | DirectoryIndex index.html 299 | 300 | 301 | # 302 | # The following lines prevent .htaccess and .htpasswd files from being 303 | # viewed by Web clients. 304 | # 305 | 306 | Require all denied 307 | 308 | 309 | # 310 | # ErrorLog: The location of the error log file. 311 | # If you do not specify an ErrorLog directive within a 312 | # container, error messages relating to that virtual host will be 313 | # logged here. If you *do* define an error logfile for a 314 | # container, that host's errors will be logged there and not here. 315 | # 316 | ErrorLog /proc/self/fd/2 317 | 318 | # 319 | # LogLevel: Control the number of messages logged to the error_log. 320 | # Possible values include: debug, info, notice, warn, error, crit, 321 | # alert, emerg. 322 | # 323 | LogLevel warn 324 | 325 | 326 | # 327 | # The following directives define some format nicknames for use with 328 | # a CustomLog directive (see below). 329 | # 330 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 331 | LogFormat "%h %l %u %t \"%r\" %>s %b" common 332 | 333 | 334 | # You need to enable mod_logio.c to use %I and %O 335 | LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio 336 | 337 | 338 | # 339 | # The location and format of the access logfile (Common Logfile Format). 340 | # If you do not define any access logfiles within a 341 | # container, they will be logged here. Contrariwise, if you *do* 342 | # define per- access logfiles, transactions will be 343 | # logged therein and *not* in this file. 344 | # 345 | CustomLog /proc/self/fd/1 common 346 | 347 | # 348 | # If you prefer a logfile with access, agent, and referer information 349 | # (Combined Logfile Format) you can use the following directive. 350 | # 351 | #CustomLog "logs/access_log" combined 352 | 353 | 354 | 355 | # 356 | # Redirect: Allows you to tell clients about documents that used to 357 | # exist in your server's namespace, but do not anymore. The client 358 | # will make a new request for the document at its new location. 359 | # Example: 360 | # Redirect permanent /foo http://www.example.com/bar 361 | 362 | # 363 | # Alias: Maps web paths into filesystem paths and is used to 364 | # access content that does not live under the DocumentRoot. 365 | # Example: 366 | # Alias /webpath /full/filesystem/path 367 | # 368 | # If you include a trailing / on /webpath then the server will 369 | # require it to be present in the URL. You will also likely 370 | # need to provide a section to allow access to 371 | # the filesystem path. 372 | 373 | # 374 | # ScriptAlias: This controls which directories contain server scripts. 375 | # ScriptAliases are essentially the same as Aliases, except that 376 | # documents in the target directory are treated as applications and 377 | # run by the server when requested rather than as documents sent to the 378 | # client. The same rules about trailing "/" apply to ScriptAlias 379 | # directives as to Alias. 380 | # 381 | ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" 382 | 383 | 384 | 385 | 386 | # 387 | # ScriptSock: On threaded servers, designate the path to the UNIX 388 | # socket used to communicate with the CGI daemon of mod_cgid. 389 | # 390 | #Scriptsock cgisock 391 | 392 | 393 | # 394 | # "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased 395 | # CGI directory exists, if you have that configured. 396 | # 397 | 398 | AllowOverride None 399 | Options None 400 | Require all granted 401 | 402 | 403 | 404 | # 405 | # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied 406 | # backend servers which have lingering "httpoxy" defects. 407 | # 'Proxy' request header is undefined by the IETF, not listed by IANA 408 | # 409 | RequestHeader unset Proxy early 410 | 411 | 412 | 413 | # 414 | # TypesConfig points to the file containing the list of mappings from 415 | # filename extension to MIME-type. 416 | # 417 | TypesConfig conf/mime.types 418 | 419 | # 420 | # AddType allows you to add to or override the MIME configuration 421 | # file specified in TypesConfig for specific file types. 422 | # 423 | #AddType application/x-gzip .tgz 424 | # 425 | # AddEncoding allows you to have certain browsers uncompress 426 | # information on the fly. Note: Not all browsers support this. 427 | # 428 | #AddEncoding x-compress .Z 429 | #AddEncoding x-gzip .gz .tgz 430 | # 431 | # If the AddEncoding directives above are commented-out, then you 432 | # probably should define those extensions to indicate media types: 433 | # 434 | AddType application/x-compress .Z 435 | AddType application/x-gzip .gz .tgz 436 | 437 | # 438 | # AddHandler allows you to map certain file extensions to "handlers": 439 | # actions unrelated to filetype. These can be either built into the server 440 | # or added with the Action directive (see below) 441 | # 442 | # To use CGI scripts outside of ScriptAliased directories: 443 | # (You will also need to add "ExecCGI" to the "Options" directive.) 444 | # 445 | #AddHandler cgi-script .cgi 446 | 447 | # For type maps (negotiated resources): 448 | #AddHandler type-map var 449 | 450 | # 451 | # Filters allow you to process content before it is sent to the client. 452 | # 453 | # To parse .shtml files for server-side includes (SSI): 454 | # (You will also need to add "Includes" to the "Options" directive.) 455 | # 456 | #AddType text/html .shtml 457 | #AddOutputFilter INCLUDES .shtml 458 | 459 | 460 | # 461 | # The mod_mime_magic module allows the server to use various hints from the 462 | # contents of the file itself to determine its type. The MIMEMagicFile 463 | # directive tells the module where the hint definitions are located. 464 | # 465 | #MIMEMagicFile conf/magic 466 | 467 | # 468 | # Customizable error responses come in three flavors: 469 | # 1) plain text 2) local redirects 3) external redirects 470 | # 471 | # Some examples: 472 | #ErrorDocument 500 "The server made a boo boo." 473 | #ErrorDocument 404 /missing.html 474 | #ErrorDocument 404 "/cgi-bin/missing_handler.pl" 475 | #ErrorDocument 402 http://www.example.com/subscription_info.html 476 | # 477 | 478 | # 479 | # MaxRanges: Maximum number of Ranges in a request before 480 | # returning the entire resource, or one of the special 481 | # values 'default', 'none' or 'unlimited'. 482 | # Default setting is to accept 200 Ranges. 483 | #MaxRanges unlimited 484 | 485 | # 486 | # EnableMMAP and EnableSendfile: On systems that support it, 487 | # memory-mapping or the sendfile syscall may be used to deliver 488 | # files. This usually improves server performance, but must 489 | # be turned off when serving from networked-mounted 490 | # filesystems or if support for these functions is otherwise 491 | # broken on your system. 492 | # Defaults: EnableMMAP On, EnableSendfile Off 493 | # 494 | #EnableMMAP off 495 | #EnableSendfile on 496 | 497 | # Supplemental configuration 498 | # 499 | # The configuration files in the conf/extra/ directory can be 500 | # included to add extra features or to modify the default configuration of 501 | # the server, or you may simply copy their contents here and change as 502 | # necessary. 503 | 504 | # Server-pool management (MPM specific) 505 | #Include conf/extra/httpd-mpm.conf 506 | 507 | # Multi-language error messages 508 | #Include conf/extra/httpd-multilang-errordoc.conf 509 | 510 | # Fancy directory listings 511 | #Include conf/extra/httpd-autoindex.conf 512 | 513 | # Language settings 514 | #Include conf/extra/httpd-languages.conf 515 | 516 | # User home directories 517 | #Include conf/extra/httpd-userdir.conf 518 | 519 | # Real-time info on requests and configuration 520 | #Include conf/extra/httpd-info.conf 521 | 522 | # Virtual hosts 523 | #Include conf/extra/httpd-vhosts.conf 524 | 525 | # Local access to the Apache HTTP Server Manual 526 | #Include conf/extra/httpd-manual.conf 527 | 528 | # Distributed authoring and versioning (WebDAV) 529 | #Include conf/extra/httpd-dav.conf 530 | 531 | # Various default settings 532 | #Include conf/extra/httpd-default.conf 533 | 534 | # Configure mod_proxy_html to understand HTML4/XHTML1 535 | 536 | Include conf/extra/proxy-html.conf 537 | 538 | 539 | # Secure (SSL/TLS) connections 540 | # Include conf/extra/httpd-ssl.conf 541 | # 542 | # Note: The following must must be present to support 543 | # starting without SSL on platforms with no /dev/random equivalent 544 | # but a statically compiled-in mod_ssl. 545 | # 546 | 547 | SSLRandomSeed startup builtin 548 | SSLRandomSeed connect builtin 549 | 550 | 551 | # To Load Customer VirtualHost Configuration files 552 | IncludeOptional conf/sites/*.conf 553 | -------------------------------------------------------------------------------- /mod_proxy/demo3/httpd_mod_proxy/index.html: -------------------------------------------------------------------------------- 1 |

Hello, World!

2 | -------------------------------------------------------------------------------- /mod_proxy/demo3/httpd_mod_proxy/site.conf: -------------------------------------------------------------------------------- 1 | 2 | ServerName chybeta4.httpd 3 | ServerAlias chybeta4.httpd 4 | ServerAdmin chybet4@gmail.com 5 | Protocols http/1.1 6 | LogLevel trace8 7 | ProxyPass "/backend" http://backend_server1:8085 8 | 9 | 10 | -------------------------------------------------------------------------------- /mod_proxy/demo3/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /mod_proxy/demo3/static/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/mod_proxy/demo3/static/1.png -------------------------------------------------------------------------------- /mod_proxy/demo3/static/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/mod_proxy/demo3/static/2.png -------------------------------------------------------------------------------- /nginx/demo1/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | ![](static/1.jpg) 11 | 12 | 具体分析见 [Nginx特殊场景绕过之一](https://t.zsxq.com/YFQB2NR) -------------------------------------------------------------------------------- /nginx/demo1/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6.7 2 | 3 | RUN mkdir -p /backend 4 | WORKDIR /backend 5 | COPY requirements.txt /backend 6 | RUN pip install --no-cache-dir -r requirements.txt 7 | 8 | COPY . /backend -------------------------------------------------------------------------------- /nginx/demo1/backend/gunicorn_demo.py: -------------------------------------------------------------------------------- 1 | from flask import Flask 2 | import logging 3 | 4 | 5 | app = Flask(__name__) 6 | gunicorn_error_logger = logging.getLogger('gunicorn.error') 7 | app.logger.handlers.extend(gunicorn_error_logger.handlers) 8 | app.logger.setLevel(logging.DEBUG) 9 | 10 | @app.route('/public', methods=['GET']) 11 | def public(): 12 | app.logger.debug('hit public') 13 | return "gunicorn public endpoint" 14 | 15 | 16 | @app.route('/private', methods=['GET']) 17 | def private(): 18 | app.logger.debug('hit private') 19 | return "gunicorn private endpoint" 20 | -------------------------------------------------------------------------------- /nginx/demo1/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | gunicorn 2 | flask -------------------------------------------------------------------------------- /nginx/demo1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | backend: 6 | container_name: chybeta.backend.demo1 7 | restart: always 8 | build: ./backend 9 | ports: 10 | - "8000:8000" 11 | command: gunicorn -w 1 -b :8000 gunicorn_demo:app --log-level DEBUG 12 | 13 | 14 | nginx: 15 | container_name: chybeta.nginx.demo1 16 | restart: always 17 | build: ./nginx 18 | ports: 19 | - "80:80" 20 | depends_on: 21 | - backend -------------------------------------------------------------------------------- /nginx/demo1/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:1.21.0 2 | 3 | RUN rm /etc/nginx/nginx.conf 4 | COPY nginx.conf /etc/nginx/ 5 | 6 | RUN rm /etc/nginx/conf.d/default.conf 7 | COPY project.conf /etc/nginx/conf.d/ 8 | -------------------------------------------------------------------------------- /nginx/demo1/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Define the user that will own and run the Nginx server 2 | user nginx; 3 | 4 | # Define the number of worker processes; recommended value is the number of 5 | # cores that are being used by your server 6 | worker_processes 1; 7 | 8 | # Define the location on the file system of the error log, plus the minimum 9 | # severity to log messages for 10 | error_log /var/log/nginx/error.log warn; 11 | 12 | # Define the file that will store the process ID of the main NGINX process 13 | pid /var/run/nginx.pid; 14 | 15 | 16 | # events block defines the parameters that affect connection processing. 17 | events { 18 | # Define the maximum number of simultaneous connections that can be opened by a worker process 19 | worker_connections 1024; 20 | } 21 | 22 | 23 | # http block defines the parameters for how NGINX should handle HTTP web traffic 24 | http { 25 | # Include the file defining the list of file types that are supported by NGINX 26 | include /etc/nginx/mime.types; 27 | 28 | # Define the default file type that is returned to the user 29 | default_type text/html; 30 | 31 | # Define the format of log messages. 32 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 33 | '$status $body_bytes_sent "$http_referer" ' 34 | '"$http_user_agent" "$http_x_forwarded_for"'; 35 | 36 | # Define the location of the log of access attempts to NGINX 37 | access_log /var/log/nginx/access.log main; 38 | 39 | # Define the parameters to optimize the delivery of static content 40 | sendfile on; 41 | tcp_nopush on; 42 | tcp_nodelay on; 43 | 44 | # Define the timeout value for keep-alive connections with the client 45 | keepalive_timeout 65; 46 | 47 | # Define the usage of the gzip compression algorithm to reduce the amount of data to transmit 48 | #gzip on; 49 | 50 | # Include additional parameters for virtual host(s)/server(s) 51 | include /etc/nginx/conf.d/*.conf; 52 | } -------------------------------------------------------------------------------- /nginx/demo1/nginx/project.conf: -------------------------------------------------------------------------------- 1 | server { 2 | 3 | listen 80; 4 | server_name docker_flask_gunicorn_nginx; 5 | 6 | location /public { 7 | proxy_pass http://backend:8000; 8 | } 9 | 10 | } -------------------------------------------------------------------------------- /nginx/demo1/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /nginx/demo1/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/nginx/demo1/static/1.jpg -------------------------------------------------------------------------------- /nginx/demo2/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | ![](static/1.jpg) 11 | 12 | 具体分析见 [Nginx 场景绕过之二: 斜杠(trailing slash) 与 #(Weblogic为例) ](https://t.zsxq.com/FYni6mM) -------------------------------------------------------------------------------- /nginx/demo2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | backend: 6 | container_name: chybeta.backend.demo2 7 | restart: always 8 | image: vulhub/weblogic:12.2.1.3-2018 9 | ports: 10 | - "7001:7001" 11 | 12 | nginx: 13 | container_name: chybeta.nginx.demo2 14 | restart: always 15 | build: ./nginx 16 | ports: 17 | - "80:80" 18 | depends_on: 19 | - backend -------------------------------------------------------------------------------- /nginx/demo2/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:1.21.0 2 | 3 | RUN rm /etc/nginx/nginx.conf 4 | COPY nginx.conf /etc/nginx/ 5 | 6 | RUN rm /etc/nginx/conf.d/default.conf 7 | COPY project.conf /etc/nginx/conf.d/ 8 | -------------------------------------------------------------------------------- /nginx/demo2/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Define the user that will own and run the Nginx server 2 | user nginx; 3 | 4 | # Define the number of worker processes; recommended value is the number of 5 | # cores that are being used by your server 6 | worker_processes 1; 7 | 8 | # Define the location on the file system of the error log, plus the minimum 9 | # severity to log messages for 10 | error_log /var/log/nginx/error.log warn; 11 | 12 | # Define the file that will store the process ID of the main NGINX process 13 | pid /var/run/nginx.pid; 14 | 15 | 16 | # events block defines the parameters that affect connection processing. 17 | events { 18 | # Define the maximum number of simultaneous connections that can be opened by a worker process 19 | worker_connections 1024; 20 | } 21 | 22 | 23 | # http block defines the parameters for how NGINX should handle HTTP web traffic 24 | http { 25 | # Include the file defining the list of file types that are supported by NGINX 26 | include /etc/nginx/mime.types; 27 | 28 | # Define the default file type that is returned to the user 29 | default_type text/html; 30 | 31 | # Define the format of log messages. 32 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 33 | '$status $body_bytes_sent "$http_referer" ' 34 | '"$http_user_agent" "$http_x_forwarded_for"'; 35 | 36 | # Define the location of the log of access attempts to NGINX 37 | access_log /var/log/nginx/access.log main; 38 | 39 | # Define the parameters to optimize the delivery of static content 40 | sendfile on; 41 | tcp_nopush on; 42 | tcp_nodelay on; 43 | 44 | # Define the timeout value for keep-alive connections with the client 45 | keepalive_timeout 65; 46 | 47 | # Define the usage of the gzip compression algorithm to reduce the amount of data to transmit 48 | #gzip on; 49 | 50 | # Include additional parameters for virtual host(s)/server(s) 51 | include /etc/nginx/conf.d/*.conf; 52 | } -------------------------------------------------------------------------------- /nginx/demo2/nginx/project.conf: -------------------------------------------------------------------------------- 1 | server { 2 | 3 | listen 80; 4 | server_name docker_nginx; 5 | 6 | location /console/ { 7 | deny all; 8 | return 403; 9 | } 10 | 11 | location / { 12 | proxy_pass http://backend:7001; 13 | } 14 | } -------------------------------------------------------------------------------- /nginx/demo2/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /nginx/demo2/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/nginx/demo2/static/1.jpg -------------------------------------------------------------------------------- /nginx/demo3/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | 访问 Weblogic 控制台,触发策略,403 11 | 12 | ![](static/1.jpg) 13 | 14 | 利用路径参数进行绕过,访问到控制台 15 | ![](static/2.jpg) 16 | 17 | 具体分析见 [Nginx 场景绕过之三: 斜杠(trailing slash) 与 ;(Weblogic为例)](https://t.zsxq.com/MNjIaMr) -------------------------------------------------------------------------------- /nginx/demo3/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | backend: 6 | container_name: chybeta.backend.demo3 7 | restart: always 8 | image: vulhub/weblogic:12.2.1.3-2018 9 | ports: 10 | - "7001:7001" 11 | 12 | nginx: 13 | container_name: chybeta.nginx.demo3 14 | restart: always 15 | build: ./nginx 16 | ports: 17 | - "80:80" 18 | depends_on: 19 | - backend -------------------------------------------------------------------------------- /nginx/demo3/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:1.21.0 2 | 3 | RUN rm /etc/nginx/nginx.conf 4 | COPY nginx.conf /etc/nginx/ 5 | 6 | RUN rm /etc/nginx/conf.d/default.conf 7 | COPY project.conf /etc/nginx/conf.d/ 8 | -------------------------------------------------------------------------------- /nginx/demo3/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Define the user that will own and run the Nginx server 2 | user nginx; 3 | 4 | # Define the number of worker processes; recommended value is the number of 5 | # cores that are being used by your server 6 | worker_processes 1; 7 | 8 | # Define the location on the file system of the error log, plus the minimum 9 | # severity to log messages for 10 | error_log /var/log/nginx/error.log warn; 11 | 12 | # Define the file that will store the process ID of the main NGINX process 13 | pid /var/run/nginx.pid; 14 | 15 | 16 | # events block defines the parameters that affect connection processing. 17 | events { 18 | # Define the maximum number of simultaneous connections that can be opened by a worker process 19 | worker_connections 1024; 20 | } 21 | 22 | 23 | # http block defines the parameters for how NGINX should handle HTTP web traffic 24 | http { 25 | # Include the file defining the list of file types that are supported by NGINX 26 | include /etc/nginx/mime.types; 27 | 28 | # Define the default file type that is returned to the user 29 | default_type text/html; 30 | 31 | # Define the format of log messages. 32 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 33 | '$status $body_bytes_sent "$http_referer" ' 34 | '"$http_user_agent" "$http_x_forwarded_for"'; 35 | 36 | # Define the location of the log of access attempts to NGINX 37 | access_log /var/log/nginx/access.log main; 38 | 39 | # Define the parameters to optimize the delivery of static content 40 | sendfile on; 41 | tcp_nopush on; 42 | tcp_nodelay on; 43 | 44 | # Define the timeout value for keep-alive connections with the client 45 | keepalive_timeout 65; 46 | 47 | # Define the usage of the gzip compression algorithm to reduce the amount of data to transmit 48 | #gzip on; 49 | 50 | # Include additional parameters for virtual host(s)/server(s) 51 | include /etc/nginx/conf.d/*.conf; 52 | } -------------------------------------------------------------------------------- /nginx/demo3/nginx/project.conf: -------------------------------------------------------------------------------- 1 | server { 2 | 3 | listen 80; 4 | server_name docker_nginx; 5 | 6 | location /console/ { 7 | deny all; 8 | return 403; 9 | } 10 | 11 | location / { 12 | proxy_pass http://backend:7001; 13 | } 14 | } -------------------------------------------------------------------------------- /nginx/demo3/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /nginx/demo3/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/nginx/demo3/static/1.jpg -------------------------------------------------------------------------------- /nginx/demo3/static/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/nginx/demo3/static/2.jpg -------------------------------------------------------------------------------- /nginx/demo4/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | ![img.png](img.png) 10 | 11 | 具体分析见 [SNI Proxy SSRF](https://articles.zsxq.com/id_wxj3f0pgbhfi.html) -------------------------------------------------------------------------------- /nginx/demo4/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | nginx: 5 | container_name: chybeta.nginx.demo4 6 | restart: always 7 | build: ./nginx 8 | ports: 9 | - "443:443" 10 | 11 | -------------------------------------------------------------------------------- /nginx/demo4/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/nginx/demo4/img.png -------------------------------------------------------------------------------- /nginx/demo4/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:alpine-slim 2 | 3 | RUN rm /etc/nginx/nginx.conf 4 | COPY nginx.conf /etc/nginx/ 5 | 6 | -------------------------------------------------------------------------------- /nginx/demo4/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Define the user that will own and run the Nginx server 2 | user nginx; 3 | 4 | # Define the number of worker processes; recommended value is the number of 5 | # cores that are being used by your server 6 | worker_processes 1; 7 | 8 | # Define the location on the file system of the error log, plus the minimum 9 | # severity to log messages for 10 | error_log /var/log/nginx/error.log warn; 11 | 12 | # Define the file that will store the process ID of the main NGINX process 13 | pid /var/run/nginx.pid; 14 | 15 | 16 | # events block defines the parameters that affect connection processing. 17 | events { 18 | # Define the maximum number of simultaneous connections that can be opened by a worker process 19 | worker_connections 1024; 20 | } 21 | 22 | stream { 23 | server { 24 | listen 443; 25 | resolver 8.8.8.8; 26 | proxy_pass $ssl_preread_server_name:80; 27 | ssl_preread on; 28 | } 29 | } 30 | 31 | # http block defines the parameters for how NGINX should handle HTTP web traffic 32 | http { 33 | # Include the file defining the list of file types that are supported by NGINX 34 | include /etc/nginx/mime.types; 35 | 36 | # Define the default file type that is returned to the user 37 | default_type text/html; 38 | 39 | # Define the format of log messages. 40 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 41 | '$status $body_bytes_sent "$http_referer" ' 42 | '"$http_user_agent" "$http_x_forwarded_for"'; 43 | 44 | # Define the location of the log of access attempts to NGINX 45 | access_log /var/log/nginx/access.log main; 46 | 47 | # Define the parameters to optimize the delivery of static content 48 | sendfile on; 49 | tcp_nopush on; 50 | tcp_nodelay on; 51 | 52 | # Define the timeout value for keep-alive connections with the client 53 | keepalive_timeout 65; 54 | 55 | # Define the usage of the gzip compression algorithm to reduce the amount of data to transmit 56 | #gzip on; 57 | 58 | # Include additional parameters for virtual host(s)/server(s) 59 | include /etc/nginx/conf.d/*.conf; 60 | } -------------------------------------------------------------------------------- /nginx/demo4/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /nginx/demo5/README.md: -------------------------------------------------------------------------------- 1 | # README 2 | 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | ![img.png](img.png) 11 | 12 | 具体分析见 [Nginx X-Accel-Redirect 导致的文件读取](https://wx.zsxq.com/dweb2/index/topic_detail/2855224411258851) -------------------------------------------------------------------------------- /nginx/demo5/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6.7 2 | 3 | RUN mkdir -p /backend 4 | WORKDIR /backend 5 | COPY requirements.txt /backend 6 | RUN pip install --no-cache-dir -r requirements.txt 7 | 8 | COPY . /backend -------------------------------------------------------------------------------- /nginx/demo5/backend/gunicorn_demo.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request, make_response 2 | import logging 3 | 4 | 5 | app = Flask(__name__) 6 | gunicorn_error_logger = logging.getLogger('gunicorn.error') 7 | app.logger.handlers.extend(gunicorn_error_logger.handlers) 8 | app.logger.setLevel(logging.DEBUG) 9 | 10 | @app.route('/') 11 | def allroute(path): 12 | try: 13 | resp_header = request.args.get("resp_header", "") 14 | resp_header_value = request.args.get("resp_header_value", "") 15 | add_header_json = {} 16 | if resp_header and resp_header_value: 17 | add_header_json = {resp_header: resp_header_value} 18 | return 'Hello world', 200, add_header_json 19 | 20 | except Exception as e: 21 | print(e) 22 | -------------------------------------------------------------------------------- /nginx/demo5/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | gunicorn 2 | flask -------------------------------------------------------------------------------- /nginx/demo5/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | nginx: 5 | container_name: chybeta.nginx.demo5 6 | restart: always 7 | build: ./nginx 8 | ports: 9 | - "8000:8000" 10 | 11 | backend: 12 | container_name: chybeta.backend.demo5 13 | restart: always 14 | build: ./backend 15 | command: gunicorn -w 1 -b :5555 gunicorn_demo:app --log-level DEBUG 16 | -------------------------------------------------------------------------------- /nginx/demo5/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/nginx/demo5/img.png -------------------------------------------------------------------------------- /nginx/demo5/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx:alpine-slim 2 | 3 | RUN rm /etc/nginx/nginx.conf 4 | COPY nginx.conf /etc/nginx/ 5 | 6 | -------------------------------------------------------------------------------- /nginx/demo5/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Define the user that will own and run the Nginx server 2 | user nginx; 3 | 4 | # Define the number of worker processes; recommended value is the number of 5 | # cores that are being used by your server 6 | worker_processes 1; 7 | 8 | # Define the location on the file system of the error log, plus the minimum 9 | # severity to log messages for 10 | error_log /var/log/nginx/error.log warn; 11 | 12 | # Define the file that will store the process ID of the main NGINX process 13 | pid /var/run/nginx.pid; 14 | 15 | 16 | # events block defines the parameters that affect connection processing. 17 | events { 18 | # Define the maximum number of simultaneous connections that can be opened by a worker process 19 | worker_connections 1024; 20 | } 21 | 22 | http { 23 | include /etc/nginx/mime.types; # 默认的 MIME 类型 24 | 25 | server { 26 | listen 8000; 27 | server_name localhost; 28 | root /; 29 | 30 | location / { 31 | proxy_pass "http://chybeta.backend.demo5:5555/"; 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /nginx/demo5/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d -------------------------------------------------------------------------------- /squid/demo1/README.md: -------------------------------------------------------------------------------- 1 | 2 | # README.md 3 | ``` 4 | ./start.sh 5 | 6 | # 关闭 7 | docker-compose rm -fs 8 | ``` 9 | 10 | ![](static/1.jpg) 11 | 12 | 具体分析见 [Squid 场景绕过之一](https://t.zsxq.com/E666unU) -------------------------------------------------------------------------------- /squid/demo1/backend/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6.7 2 | 3 | RUN mkdir -p /backend 4 | COPY . /backend 5 | WORKDIR /backend 6 | 7 | RUN python3 -m pip install -r requirements.txt 8 | -------------------------------------------------------------------------------- /squid/demo1/backend/requirements.txt: -------------------------------------------------------------------------------- 1 | flask -------------------------------------------------------------------------------- /squid/demo1/backend/secret.txt: -------------------------------------------------------------------------------- 1 | private -------------------------------------------------------------------------------- /squid/demo1/backend/server.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, Response 2 | 3 | app = Flask(__name__) 4 | 5 | 6 | @app.route('/secret', methods=['GET']) 7 | def secret(): 8 | return "secret" 9 | 10 | 11 | if __name__ == "__main__": 12 | app.run(debug=True, host="0.0.0.0", port=8000) 13 | -------------------------------------------------------------------------------- /squid/demo1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | 5 | backend: 6 | container_name: chybeta.squid.demo1.backend 7 | restart: always 8 | build: ./backend 9 | ports: 10 | - "8000:8000" 11 | command: python3 server.py 12 | networks: 13 | app_net: 14 | ipv4_address: 172.0.0.200 15 | 16 | squid: 17 | container_name: chybeta.squid.demo1.squid 18 | image: sameersbn/squid:3.5.27-2 19 | restart: always 20 | volumes: 21 | - "./squid/squid.conf:/etc/squid/squid.conf" 22 | ports: 23 | - "3128:3128" 24 | depends_on: 25 | - backend 26 | networks: 27 | app_net: 28 | ipv4_address: 172.0.0.201 29 | 30 | networks: 31 | app_net: 32 | ipam: 33 | driver: default 34 | config: 35 | - subnet: "172.0.0.1/24" -------------------------------------------------------------------------------- /squid/demo1/squid/squid.conf: -------------------------------------------------------------------------------- 1 | acl SSL_ports port 443 2 | acl Safe_ports port 80 3 | acl Safe_ports port 21 4 | acl Safe_ports port 443 5 | acl Safe_ports port 70 6 | acl Safe_ports port 210 7 | acl Safe_ports port 1025-65535 8 | acl Safe_ports port 280 9 | acl Safe_ports port 488 10 | acl Safe_ports port 591 11 | acl Safe_ports port 777 12 | acl Safe_ports port 0 # urn 13 | 14 | acl restricted_destination_ip dst 172.0.0.200 15 | http_access deny restricted_destination_ip 16 | http_access allow all 17 | 18 | http_port 0.0.0.0:3128 -------------------------------------------------------------------------------- /squid/demo1/start.sh: -------------------------------------------------------------------------------- 1 | echo killing old docker processes 2 | docker-compose rm -fs 3 | 4 | echo building docker containers 5 | docker-compose up --build -d 6 | 7 | docker-compose logs -f -------------------------------------------------------------------------------- /squid/demo1/static/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/OddProxyDemo/e782f0e26a2e491b5e964256ee5aa51467bae94c/squid/demo1/static/1.jpg --------------------------------------------------------------------------------