如何保护Web服务器免受反向代理服务器的影响
[英]How to protect a web server FROM a reverse proxy server
问题描述
I have a website "www.website.com". 
我有一个网站“www.website.com”。
Recently I found out that somebody has set up a reverse proxy with an almost identical url "www.website1.com" in front of my website. 最近我发现有人在我的网站前设置了一个反向代理,其中有一个几乎相同的网址“www.website1.com”。
I'm concerned of those users who came to my website through that reverse proxy. 我担心那些通过反向代理访问我网站的用户。 Their username and passwords might be logged when they login. 他们登录时可能会记录他们的用户名和密码。
Is there a way for me to have my web server refuse reverse proxy? 有没有办法让我的Web服务器拒绝反向代理?
For example, I've set up a reverse proxy using squid with the url "www.fakestackoverflow.com" in front of "www.stackoverflow.com". 例如,我在“www.stackoverflow.com”前面使用网址“www.fakestackoverflow.com”设置了反向代理。 So whenever I type "www.fakestackoverflow.com" in my web browser address bar, I'll be redirected to "www.stackoverflow.com" by the reverse proxy. 因此,每当我在网络浏览器地址栏中输入“www.fakestackoverflow.com”时,我都会被反向代理重定向到“www.stackoverflow.com”。 Then I notice the url in my address bar changed to "www.stackoverflow.com" indicating that I'm no longer going through the reverse proxy. 然后我注意到我的地址栏中的网址已更改为“www.stackoverflow.com”,表示我不再通过反向代理。
"www.stackoverflow.com" must've detected that I came to the website from another url and then redirected me to the website through the actual url. “www.stackoverflow.com”一定检测到我从另一个网址进入网站,然后通过实际网址将我重定向到网站。
How do I do something like that in ASP.NET web application?
Also asked on server fault . 还询问服务器故障 。
9 个解决方案
解决方案1
11 2010-10-10 06:55:19
First, use JavaScript to sniff document.location.href and match it against your domain: 首先,使用JavaScript来嗅探document.location.href并将其与您的域匹配:
var MyHostName = "www.mydomain.com";
if (0 == document.location.href.indexOf("https://"))
{
MyHostName = "https://" + MyHostName + "/";
if (0 != document.location.href.indexOf(MyHostName)) {
var new_location = document.location.href.replace(/https:\/\/[^\/]+\//, MyHostName);
if(new_location != document.location.href)
document.location.replace(new_location);
}
}
else
{
MyHostName = "http://" + MyHostName + "/";
if (0 != document.location.href.indexOf(MyHostName)) {
var new_location = document.location.href.replace(/http:\/\/[^\/]+\//, MyHostName);
if(new_location != document.location.href)
document.location.replace(new_location);
}
}
Second : write a init script to all your ASP pages to check if the remote user IP address matches the address of the reverse proxy. 第二步 :将init脚本写入所有ASP页面,以检查远程用户IP地址是否与反向代理的地址匹配。 If it matches, redirect to a tinyurl link which redirects back to your real domain. 如果匹配,则重定向到tinyurl链接,该链接重定向回您的真实域。 Use tinyurl or other redirection service to counter reverse proxy's url rewriting. 使用tinyurl或其他重定向服务来反击反向代理的URL重写。
Third : write a scheduled task to do a DNS lookup on the fake domain, and update a configuration file which your init script in step 2 uses. 第三步:编写计划任务以对假域进行DNS查找,并更新步骤2中init脚本使用的配置文件。 Note: Do not do a DNS lookup in your ASP because DNS lookups can stall for 5 seconds. 注意:不要在ASP中进行DNS查找,因为DNS查找可能会停顿5秒钟。 This opens a door for DOS against your site. 这为您的网站打开了一扇门。 Also, don't block solely based on IP address because it's easy to relocate. 此外,不要仅仅基于IP地址阻止,因为它很容易重新定位。
Edit : If you're considered of the proxy operator stealing user passwords and usernames, you should log all users who are served to the proxy's IP address, and disable their accounts. 编辑 :如果您被认为是代理运营商窃取用户密码和用户名,您应该将所有服务的用户记录到代理的IP地址,并禁用他们的帐户。 Then send email to them explaining that they have been victims of a phishing attack via a misspelled domain name, and request them to change their passwords. 然后通过拼写错误的域名向他们发送电子邮件,说明他们是网络钓鱼攻击的受害者,并请求他们更改密码。
解决方案2
1 2010-10-18 03:00:51
If you were to do Authentication over SSL using https://, you can bypass the proxy in most cases. 如果您使用https://进行SSL身份验证,则在大多数情况下可以绕过代理。
You can also look for the X-Forwarded-For header in the incoming request and match it against the suspicious proxy. 您还可以在传入请求中查找X-Forwarded-For标头,并将其与可疑代理进行匹配。
解决方案3
1 2010-10-19 16:51:59
As I see it, your fundamental issue here is that whatever application layer defence measures you put in place to mitigate this attack can be worked around by the attacker, assuming this really is a malicious attack made by a competent adversary. 正如我所看到的,你的基本问题是,无论你采取什么样的应用层防御措施来缓解这种攻击都可以由攻击者解决,假设这确实是由有能力的攻击者进行的恶意攻击。
In my view, you should definitely be using HTTPS, which in principle would allow the user to confirm for sure whether they're talking to the right server, but this relies on the user knowing to check for this. 在我看来,你绝对应该使用HTTPS,原则上它允许用户确认他们是否正在与正确的服务器通话,但这依赖于用户知道检查这一点。 Some browsers these days display extra information in the URL bar about which legal entity owns the SSL certificate, which would help, as it's unlikely an attacker would be able to persuade a legitimate certificate authority to issue a certificate in your name. 有些浏览器现在在URL栏中显示有关哪个法人实体拥有SSL证书的额外信息,这将有所帮助,因为攻击者不太可能说服合法证书颁发机构以您的名义颁发证书。
Some of the other comments here said that HTTPS can be intercepted by intermediate proxy servers, which is not actually true. 这里的一些其他评论说,HTTPS可以被中间代理服务器截获,这实际上并不正确。 With HTTPS, the client issues a CONNECT request to the proxy server, which tunnels all future traffic direct to the origin server, without being able to read any of it. 使用HTTPS,客户端向代理服务器发出CONNECT请求,代理服务器将所有未来流量直接隧道传送到源服务器,而无法读取任何流量服务器。 If we assume that this proxy server is entirely bespoke and malicious, then it can terminate the SSL session and intercept the traffic, but it can only do that with its own SSL certificate, not with yours. 如果我们假设这个代理服务器是完全定制和恶意的,那么它可以终止SSL会话并拦截流量,但它只能使用自己的SSL证书,而不是你的证书。 This certificate will either be self signed (in which case clients will get lots of warning messages) or a genuine certificate issued by a certificate authority, in which case it'll have the wrong legal entity name, and you should be able to go back to the certificate authority, have the cert revoked and potentially ask the police to take action against the owner of the certificate, if you have reasonable suspicion that they are phishing. 此证书将自签名(在这种情况下,客户端将收到大量警告消息)或证书颁发机构颁发的正版证书,在这种情况下,它将具有错误的法人实体名称,您应该能够返回如果您有合理的怀疑他们是网络钓鱼,则向证书颁发机构撤销证书,并可能要求警方对证书的所有者采取行动。
The other thing I can think of which would mitigate this threat to some extent would be to implement one-time password functionality, either using a hardware/software token or using (my personal favorite) an SMS sent to the user's phone when they log in. This wouldn't prevent the attacker getting access to the session once , but should prevent them being able to log in in future. 我能想到的另一个可以在某种程度上缓解这种威胁的方法是实现一次性密码功能,使用硬件/软件令牌或使用(我个人最喜欢的)在用户登录时发送到用户手机的短信这不会阻止攻击者一次访问会话,但是应该阻止他们将来登录。 You could further protect the users by requiring another one time password before allowing them to see/edit particularly sensitive details. 您可以通过要求另一个一次性密码来进一步保护用户,然后再允许他们查看/编辑特别敏感的详细信息。
解决方案4
0 2010-10-10 08:40:07
There's very little you can do to prevent this without causing legitimate proxies (translation, google cache, etc..) from failing. 你可以做很少的事情来防止这种情况,而不会导致合法的代理(翻译,谷歌缓存等)失败。 If you don't care if people use such services, then simply set your web app to always redirect if the base url is not correct. 如果您不关心人们是否使用此类服务,那么只需将您的网络应用程序设置为在基本网址不正确时始终重定向。
There are some steps you can take if you are aware of the proxies, and can find out their IP addresses, but that can change and you would have to stay on top of it. 如果您了解代理,可以采取一些步骤,并且可以找到他们的IP地址,但这可能会发生变化,您必须始终保持最佳状态。 @jmz's answer is quite good in that regard. @ jmz在这方面的答案相当不错。
解决方案5
0 2010-10-11 19:30:15
I have come with an idea, and I think a solution. 我有一个想法,我认为是一个解决方案。
First of all you do not need all page to be overwrite because this way you block other proxies, and other services (like google automatic translate). 首先,您不需要覆盖所有页面,因为这样您可以阻止其他代理和其他服务(如谷歌自动翻译)。
So let say that you won to be absolute sure about the login page . 所以,假设你赢得了对登录页面的绝对肯定 。
So what you do, when a user gets on login.aspx page you make a redirect with the full path of your site again to login.aspx. 那么你做什么,当用户登录login.aspx页面时,你会再次将你网站的完整路径重定向到login.aspx。
if(Not all ready redirect on header / or on parametres from url)
Responce.Redirect("https://www.mysite.com/login.aspx");
This way I do not think that transparent proxy can change the get header and change it. 这样我认为透明代理不能更改get头并更改它。
Also you can log any proxy, and or big requests from some ips and check it. 您还可以记录任何代理,或来自某些ips的大请求并进行检查。 When you found a Fishing site like the one you say you can also report it. 当您找到类似您所说的钓鱼网站时 ,您也可以报告它。
http://www.antiphishing.org/report_phishing.html http://www.antiphishing.org/report_phishing.html
https://submit.symantec.com/antifraud/phish.cgi https://submit.symantec.com/antifraud/phish.cgi
http://www.google.com/safebrowsing/report_phish/ http://www.google.com/safebrowsing/report_phish/
解决方案6
0 2010-10-12 06:39:36
After days of searching and experimenting, I think I've found an explanation to my question. 经过几天的搜索和实验,我想我已经找到了对我的问题的解释。 In my question, I used stackoverflow.com as an example but now I'm going to use whatismyipaddress.com as my example since both exhibit the same behaviour in the sense of url rewriting plus whatismyipaddress.com is able to tell my ip address. 在我的问题中,我使用stackoverflow.com作为示例,但现在我将使用whatismyipaddress.com作为我的示例,因为两者在url重写和plusismyipaddress.com能够告诉我的IP地址的意义上表现出相同的行为。
First, in order to reproduce the behaviour, I visited whatismyipaddress.com and got my ip address, say 111.111.111.111 . 首先,为了重现这种行为,我访问了whatismyipaddress.com并得到了我的IP地址,比如111.111.111.111 。 Then I visited www.whatismyipaddress.com (note the additional www. as its prefix) and the url in my browser's address bar changed back to whatismyipaddress.com discarding the prefix. 然后我访问了www.whatismyipaddress.com (注意附加的www。作为其前缀),浏览器地址栏中的url更改回whatismyipaddress.com,丢弃前缀。 After reading comments from Josh Stodola, it strucked me to prove this point. 在阅读了Josh Stodola的评论后,我突然想到了这一点。
Next, I set up a reverse proxy with the url www.myreverseproxy.com and ip address 222.222.222.222 and I have it performed the two scenarios below: 接下来,我使用网址www.myreverseproxy.com和ip地址222.222.222.222设置了一个反向代理,我让它执行了以下两种方案:
I have the reverse proxy points to whatismyipaddress.com (without the prefix **www. ).
我有反向代理指向whatismyipaddress.com(没有前缀** www。 )。 Then typed www.myreverseproxy.com in my browser's address bar. 然后在浏览器的地址栏中键入www.myreverseproxy.com 。 The reverse proxy then relayed me to whatismyipaddress.com and the url in my address bar didn't change (still showing www.myreverseproxy.com ). 反向代理然后将我转发到whatismyipaddress.com并且我的地址栏中的url没有改变(仍显示www.myreverseproxy.com )。 I further confirmed this by checking the ip address on the webpage which showed 222.222.222.222 (which is the ip address of the reverse proxy). 我通过检查显示222.222.222.222 (这是反向代理的IP地址)的网页上的IP地址进一步证实了这一点。 This means that I'm still viewing the webpage through the reverse proxy and not directly connected to whatismyipaddress.com . 这意味着我仍然通过反向代理查看网页,而不是直接连接到whatismyipaddress.com 。 Then I have the reverse proxy points to www.whatismyipaddress.com (with the prefix wwww. this time).
然后我有反向代理点到www.whatismyipaddress.com (前缀为wwww。这次)。 I visited www.myreverseproxy.com and this time the url in my address bar changed from www.myreverseproxy.com to whatismyipaddress.com . 我参观了www.myreverseproxy.com,这一次在我的地址栏中的网址从www.myreverseproxy.com改为whatismyipaddress.com。 The webpage showed my ip address as 111.111.111.111 (which is the real ip address of my pc). 网页显示我的IP地址为111.111.111.111 (这是我的电脑的真实IP地址)。 This means that I'm no longer viewing the webpage through the reverse proxy and redirected straight to whatismyipaddress.com . 这意味着我不再通过反向代理查看网页并直接重定向到whatismyipaddress.com 。
I think this is some kind of url rewriting trick which Josh Stodola has pointed out. 我认为这是Josh Stodola指出的某种网址重写技巧。 I think I'm gonna read more on this. 我想我会更多地阅读这篇文章。 As to how to protect a server from reverse proxy, the best bet is to use SSL. 至于如何保护服务器免受反向代理,最好的办法是使用SSL。 Encrypted information passing through a proxy will be of no use since it can't be read in plain sight thus preventing eavesdropping and man-in-the-middle attack which what reverse proxy exactly is. 通过代理传递的加密信息将毫无用处,因为它无法在普通视野中读取,因此可以防止窃听和中间人攻击,而逆向代理正是这样。
Safeguarding with javascript though can be seen trivial since javascript can be stripped off easily by a reverse proxy and also prevent other online services like google translate from accessing your website. 使用javascript进行保护可以看作是微不足道的,因为javascript可以通过反向代理轻松剥离,并且还可以阻止谷歌翻译等其他在线服务访问您的网站。
解决方案7
0 2010-10-18 16:29:31
Maybe create a black-list of URLs and compare requests with Response.Referer if the website is on that list then kill the request or do a redirection of your own. 如果网站在该列表上,则可能创建URL的黑名单并将请求与Response.Referer进行比较,然后终止请求或重定向您自己的请求。
The black-list is obviously something you would have to manually update. 黑名单显然是你必须手动更新的东西。
解决方案8
0 2017-09-04 14:04:02
好吧,我已经通过类似的情况,但我设法通过使用另一个指向我原来的转发域克服它,然后检查代码,如果客户端是反向服务器,如果它,我会将它们重定向到我的第二个域将从原文中查看更多信息: http : //alphablog.xyz/your-website-is-being-mirrored-by-someone-else-without-your-knowledge/
解决方案9
-1 2010-10-10 06:52:05
最简单的方法可能是在您的页面上放置一些Javascript代码来检查window.location以查看顶级域名(TLD)是否与您期望的匹配,如果不匹配,则将其替换为您正确的域(导致浏览器重新加载)改为正确的网站)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.