Seeing HTTP CONNECT requests with Ethereal - should I worry?

[greenbirdweb]

Hello,

While running the Ethereal network analyzer on my server, I notice a lot of "CONNECT news98.idv.tw:25" coming through. As near as I can tell (can't find much info on CONNECT through Google) this method hasn't ever been fully implemented. My server responds to this request with "200 OK", and then sends the /index.html file. I can't tell if this behavior is something that should be reigned in, or if it's benign enough to be ignored. My preference would be to have the server respond with a "403 Forbidden", but I haven't figured out how to make Apache do that when it sees a "CONNECT" request. Anyone have any ideas?

Much appreciated.

 

[greenbirdweb]

No one knows how to make Apache reject HTTP "CONNECT" requests? I have see an increased number of these requests coming in, pointing at microsoft.com, yahoo.com, hotmail.com, etc. I don't like it.

 

[ericbrunson]

Have you read the docs on mod_proxy_connect?

CONNECT is a proxy request for a tunnel connection, and it has been implemented. If you don't need SSL on your server you could change to AllowConnect settings to exclude the defaults. Finer grained control might require enhancing the mod_proxy_connect module or intercepting the request in a mod_perl/mod_python type handler.

 

[greenbirdweb]

Actually, after seeing a way to send a specific response code on another forum, I looked into mod_rewrite. I added the following code to my httpd.conf file, and BAM!... "CONNECT" and "SEARCH" requests now get rejected with "403 Forbidden."

...
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^CONNECT$ [OR]
RewriteCond %{REQUEST_METHOD} ^SEARCH$
RewriteRule ^.*$ %N [F]
...

There ya go. I'm sure I'm not the only one trying to do this kind of thing, so hope this is helpful to someone else.

 

[ericbrunson]

Excellent, thanks for posting the solution back.