I'm quite new to Web hosting and have recently set up a WAMP server, ie running Apache. In my access log recently I have been getting messages like:
208.52.175.87 - - [22/Jun/2009:10:14:15 +0100] "CONNECT 64.12.200.89:443 HTTP/1.0" 200 6967
208.52.175.87 - - [22/Jun/2009:10:16:16 +0100] "CONNECT 205.188.251.1:443 HTTP/1.0" 200 6967
208.52.175.87 - - [22/Jun/2009:10:18:16 +0100] "CONNECT 205.188.251.6:443 HTTP/1.0" 200 6967
208.52.175.87 - - [22/Jun/2009:10:20:17 +0100] "CONNECT 205.188.251.11:443 HTTP/1.0" 200 6967
208.52.175.87 - - [22/Jun/2009:10:22:17 +0100] "CONNECT 64.12.161.153:443 HTTP/1.0" 200 6967
208.52.175.87 - - [22/Jun/2009:10:24:17 +0100] "CONNECT 205.188.251.16:443 HTTP/1.0" 200 6967
I'm concerned as my web server is returning a message 200 which I guess means a page is being returned. Can somone explain what is going on? Should I be concerned? What does CONNECT mean?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
I think I said that wrong. Rather than using a proxy to connect to you, they are trying to use you as a proxy.
Make sure that mod_proxy is not enabled in Apache. If it is not, you should be safe. For more information you can take a look at Apache's wiki page on Proxy Abuse:
http://wiki.apache.org/htt
Thanks Brokenkeys
However, i'm not convinced as I would expect to see a 'GET' message not 'CONNECT'. I don't have mod_proxy enabled. I don't understand why Apache is returning value 200 as there is no absolute URLs in the request-URL (Section - "My server is properly configured not to proxy, so why is Apache returning a 200 (Success) status code?" from "http://wiki.apache.org/ht
If you read further down that wiki page, there is a section called "What about these strange CONNECT requests?" From the explanation:
"Everything mentioned above applies equally to this case. But normally, as long as the proxy is disabled, Apache would respond to such requests with status code 405 (Method not allowed). The fact that a success status code is returned indicates that a third-party module is processing the CONNECT requests. The most likely culprit is php, which in its default configuration will accept all methods and treat them identically.
"This isn't inherently a problem since php will handle the request locally and will not proxy to the foreign host. But it is still a good idea to configure php to accept only specific methods (using the php configuration setting http.allowed_methods) or have your php script reject requests for non-standard methods."
What version of PHP is installed? What version of Apache? "http.allowed_methods" was made obsolete back in 2006.
Before posting this, I had tried to replicate the CONNECT status with my own web server (Apache's httpd v2.2.10; PHP v5.2.8). The only way that I succeeded in getting a status of 200 was to specifically enable proxying by inserting the modules and using "ProxyRequests On" in my httpd.conf. There is nothing that deals with CONNECT in any of my configuration files.
My guess is that an upgrade would also change this behavior for you. As long as the proxy module is disabled, it should not pose a security problem. It's just an annoyance to see it in the logs.
Incidentally, the CONNECT requests to specific IP addresses is more likely to be caused by somebody looking for a proxy. If you set your server as the proxy address in your web browser then you would see GET requests. To test things like this, it's easier to use netcat or telnet to connect (on port 80) so that you can craft the request yourself. In the case of HTTP/1.0, you can copy the request straight from the access log and then hit enter twice to tell Apache that it is the entire request.
Thanks Brokenkeys for the time you have spent writing this post
I am using WAMP server Version 2.0 (PHP 5.2.8, Apache 2.2.11)
I have no references to "proxy" anywehere in the php.ini and only have these references to proxy in my httpd.conf file :
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer
#LoadModule proxy_connect_module modules/mod_proxy_connect.
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
I tried:
telnet villasofcyprus.co.uk 80 (my domain)
GET http://www.yahoo.com/ HTTP/1.1
Host: www.yahoo.com
and it just returned content from my own site, so I'm hoping my security is ok
Business Accounts
Answer for Membership
by: BrokenKeysPosted on 2009-06-22 at 13:17:08ID: 24686104
From http://www.w3.org/Protocol
"This specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a tunnel (e.g. SSL tunneling [44])."
It looks like somebody is connecting to the web server via proxy. The HTTP/1.0 might also be a good indicator of this as it does not support the HTTP Keep-Alive header.