Ubuntu server protect from HTTPOXY Vulnerability

The HTTPOXY vulnerability which has been found recently is a vulnerability that affects applications that run in cgi or cgi-like environments. This means that the issue affects almost all web servers including Apache and Nginx and also most PHP applications. Even the mod_php mode on apache is affected

How does HTTPOXY affect my server?
HTTPOXY affects clients that honor the HTTP_PROXY variable and use it for their proxy configuration and server side applications which use HTTP_PROXY as real or emulated variable in their environment. The result of an attack can be traffic that gets proxied by the web application to a target system chosen by the attacker or the application opens outgoing connections to other systems. The vulnerability is easily remotely exploitable and servers can be scanned for it, so it is highly recommended to take actions to close it on your server.

General solution

The recommended solution at the moment is to unset or filter the HTTP_PROXY header variable. This is done in apache with the mod_headers module and this configuration statement:
RequestHeader unset Proxy early

On Nginx you can use this line to unset the HTTP_PROXY variable.
fastcgi_param HTTP_PROXY “”;
The next chapter describes the detailed procedure for different Linux Distributions.

Debian
This chapter describes the configuration to protect Apache and Nginx on Debian 8 (Jessie) and Debian 7 (Wheezy) servers against HTTPOXY. The next steps assume that you are logged in as root user on the shell. If you are logged in under a different user, then use the su command (or sudo if you configured sudo) to become the root user.

Debian 8 (Jessie) with Apache

Enable the apache headers module
a2enmod headers

Add a global configuration file /etc/apache2/conf-available/httpoxy.conf. I will use the nano editor here:
nano /etc/apache2/conf-available/httpoxy.conf

and paste the following content to that file:

RequestHeader unset Proxy early

Save the file. Then enable it in the configuration with the a2enconf command and restart apache.
a2enconf httpoxy
service apache2 restart

Debian 7 (Wheezy) with Apache

Enable the apache headers module:
a2enmod headers

Add a global configuration file /etc/apache2/conf.d/httpoxy.conf. I will use the nano editor here:
nano /etc/apache2/conf.d/httpoxy.conf

and paste the following content to that file:

RequestHeader unset Proxy early

Save the file. Then restart apache.
service apache2 restart

Debian with Nginx

The following command will add a fastcgi_param that sets the HTTP_PROXY variable to an empty string to the /etc/nginx/fastcgi_params file.
echo ‘fastcgi_param HTTP_PROXY “”;’ >> /etc/nginx/fastcgi_params

Then restart nginx to apply the configuration change.
service nginx restart

Ubuntu
This chapter describes the configuration to protect Apache and Nginx on Ubuntu 14.04 – 16.04 servers against HTTPOXY.

Ubuntu with Apache

Enable the apache headers module.
sudo a2enmod headers

Add a global configuration file /etc/apache2/conf-available/httpoxy.conf. I will use the nano editor here:
sudo nano /etc/apache2/conf-available/httpoxy.conf

and paste the following content to that file:

RequestHeader unset Proxy early

Save the file. Then enable it in the configuration with the a2enconf command and restart apache.
sudo a2enconf httpoxy
sudo service apache2 restart

Ubuntu with Nginx

The steps to protect Ubuntu against HTTPOXY are similar to the ones for Debian. We just have to ensure to run the commands with sudo. This echo command will add a fastcgi_param line that sets the HTTP_PROXY variable as an empty string. The file /etc/nginx/fastcgi_params is included into the default @PHP and cgi-bin sections of the nginx vhost files and also in vhosts that get created by ISPConfig. If you added custom vhosts, then checj that they contain “include /etc/nginx/fastcgi_params;” in the config sections for php and other cgi or fastcgi connectors.

Run the following command to add the empty HTTP_PROXY variable.
sudo echo ‘fastcgi_param HTTP_PROXY “”;’ >> /etc/nginx/fastcgi_params

Then restart Nginx to apply the configuration change.
sudo service nginx restart

Test
Finally, you should test if your server is safe now. Luke Rehman has developed a nice online testing tool which can be found here: https://httpoxy.rehmann.co/

Read full post from source: howtoforge.com