[Sanddancer]

It's really, really easy to misconfigure mod_proxy and set yourself up as an open proxy. The ProxyRequests directive sounds like it should be needed for any sort of proxying, but is only really needed if you're allowing your apache instance to act as a forward proxy, not as a reverse proxy. For reverse proxying, which is what you want most of the time, you really want ProxyPass and ProxyPassReverse .

[scintill76]

The phrase "[my blog] was being hosted on another port because apache was taking up the internet http port 80" sounds like the reason they were trying to set up a reverse-proxy.

Apache docs have an obvious warning about ProxyRequests and security: https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyre... .

This config snippet looks like it was copied/modified without understanding:

        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Allow from .example.com
        </Proxy>

Example.com? If you read the docs on Order (https://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#or...), you see that Deny,Allow defaults to allow, so that's why it's an open proxy.

Above that, there is a comment "turning ProxyRequests on and allowing proxying from all may allow spammers to use your proxy to send email", so I guess it was somewhat safe originally, until ProxyRequests was changed to On without reading and understanding the comment.

[MariuszGalus]

I made the mistake of thinking it was harmless to enable. Also, with the solutions I've found online for enabling 'ghost blog with apache virtualhosts'. I guess someone trolled me.

[jrochkind1]

It's a good idea to always look up the docs on directives in apache configs you are copy-pasting from the internet, to make sure you know what they are doing.

For that matter, this probably applies to just about anything you copy paste on the internet. Understand what you're pasting, look up the docs if you don't or aren't sure or are using something you haven't seen before.

But apache httpd configs can be especially tricky. The accidental open proxy is definitely something that gets lots of people, you are not alone. The apache httpd directive names have a lot of 'legacy' in them, and probably should have been named more clearly in retrospect (i assume the apache httpd forward proxy feature came first, and reverse proxy was only added later; but in 2015 reverse proxy is a lot ore common a thing to want).

(But the solution to an accidental open proxy, if you didn't mean to be forward proxying at all.... is turning off the forward proxy in apache httpd, not other weird workarounds).

[vacri]

> If you read the docs on Order

That's yet another example of apache config violating POLS (Principle Of Least Astonishment). You have a set of Allow rules and a set of Deny rules. If a request does not match a rule in either set, then what happens to the request depends on the ordering of these non-matching rulesets (!!) instead of a reasonable default with an explicitly configured alternate option.

It's also a bad name - there's no hint that this affects the default action; you just have to know ahead of time.