1

I have an Apache webserver which serves the domain www.mypersonaldomain.com and I found these entries (and more like these) in access log.

88.218.227.227 - - [28/May/2021:08:56:29 +0000] "CONNECT minecraft.moin.games.:30003 HTTP/1.1" 302 213 88.218.227.227 - - [28/May/2021:08:57:03 +0000] "CONNECT minecraft.moin.games.:30003 HTTP/1.1" 302 213 88.218.227.227 - - [28/May/2021:08:58:19 +0000] "CONNECT minecraft.moin.games.:30003 HTTP/1.1" 302 213 34.91.147.149 - - [28/May/2021:10:34:44 +0000] "CONNECT play.destanmc.com:25565 HTTP/1.1" 302 210 34.91.147.149 - - [28/May/2021:10:35:08 +0000] "CONNECT play.destanmc.com:25565 HTTP/1.1" 302 210 34.91.147.149 - - [28/May/2021:10:35:16 +0000] "CONNECT play.destanmc.com:25565 HTTP/1.1" 302 210 34.91.147.149 - - [28/May/2021:10:35:46 +0000] "CONNECT play.destanmc.com:25565 HTTP/1.1" 302 210 194.93.56.130 - - [28/May/2021:16:40:12 +0000] "CONNECT 45.131.0.108:25565 HTTP/1.1" 404 13899 194.93.56.130 - - [28/May/2021:16:40:32 +0000] "CONNECT 45.131.108.30:25565 HTTP/1.1" 404 13920 194.163.135.185 - - [28/May/2021:17:52:52 +0000] "CONNECT play.arkflame.com:25566 HTTP/1.1\n" 400 226 194.163.135.185 - - [28/May/2021:17:52:52 +0000] "CONNECT play.arkflame.com:25566 HTTP/1.1\n" 400 226 212.47.244.68 - - [28/May/2021:20:14:24 +0000] "CONNECT www.mypersonaldomain.com:443 HTTP/1.1" 302 212 212.47.244.68 - - [28/May/2021:20:14:24 +0000] "CONNECT www.mypersonaldomain.com:443 HTTP/1.1" 302 212 212.47.244.68 - - [28/May/2021:20:14:24 +0000] "CONNECT www.mypersonaldomain.com:443 HTTP/1.1" 302 212 212.47.244.68 - - [28/May/2021:20:14:24 +0000] "CONNECT www.mypersonaldomain.com:443 HTTP/1.1" 302 212 212.47.244.68 - - [28/May/2021:20:14:24 +0000] "CONNECT www.mypersonaldomain.com:443 HTTP/1.1" 302 212 212.47.244.68 - - [28/May/2021:20:14:24 +0000] "CONNECT www.mypersonaldomain.com:443 HTTP/1.1" 302 212

The server is built on an AWS Lightsail instance using a Bitnami WordPress stack where the recommended, and the default, configuration is to configure Apache to serve static files (images, CSS, JavaScript and more) and use PHP_FPM with Apache’s mod_proxy module to handle PHP requests.

  1. Does those log entries about the requests with 302 response mean that my server is used as an open proxy?
  2. Why someone would ask my server to CONNECT that way to my domain?
  3. Is there something can I do in order to block redirections and secure my server without to disable mod_proxy?
  4. How could I send CONNECT requests by myself for testing?
Improve this question
2
  • 1
    This is standard internet noise caused by bots scanning for open proxies. Commented May 29, 2021 at 20:31
  • try it to use it as proxy and verify, these may a indicator of that you think Commented May 30, 2021 at 14:30

1 Answer 1

Reset to default
1

Does those entries (...) mean that my server is used as an open proxy?

No, 302 is just the code for "found" or "here is something". The server got a request and logged it.

Why someone would ask my server to CONNECT that way to my domain?

To find open proxies. There are thousands of services scanning servers like yours. For security or "other" reasons.

Is there something can I do in order to block redirections

A redirection is a clients thing, your server would have to send a 301 code (for example) to the client.

... and secure my server without to disable mod_proxy?

It is always a good practice to disable unused services and modules.

How could I send CONNECT requests by myself for testing?

You can use curl:

curl --proxy "http://<YOURSERVER>" "http://<ANOTHERSERVER>"
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.