Only a quick update today on how to mitigate the httpoxy vulnerability using pound reverse proxy. In fact it is fairly easy but you will have to be aware of the caveats. Props to Dominic Scheirlinck for the great write-up!

The vulnerability can be exploited by sending a HTTP request which has the Proxy header (rarely used in practice) set. We will remove this header using Pound preventing the attack by not letting it reach the web application at all.

Mitigation:

  1. Add the line below to the listenHTTP section of your pound.conf file
    HeadRemove "^Proxy"

example pound.conf:

##################################################
ListenHTTP  
        ## Listen on all IP addresses
        Address 0.0.0.0
        ## Listen on port 80
        Port 80

        ## Remove the "X-Forwarded-For" header if it is there. 
        ## Prevents multiple comma separated ip address to show up in the logs.
        HeadRemove "X-Forwarded-For"

        ## Remove the "Proxy" header to mitigate httpoxy vulnerability
        ## https://httpoxy.org/
        HeadRemove "^Proxy"
        ## one.example.com
        Service
                ## Require the header to match the pattern
                HeadRequire "Host: .*one.example.com.*"
                ## Redirect to HTTPS
                Redirect "https://one.example.com"
        End
End  
##################################################

Caveats:

  1. Educate yourself on httpoxy here and/or here
  2. This is a mitigation not a fix -> Fix those applications
  3. in case any clients are routed to the web application directly (as in not via th Pound reverse proxy) via HTTP, this mitigation is useless.
  4. HTTPS-only applications are not affected -> Switch to HTTPS already! It's free