A quick block for httpoxy (https://httpoxy.org/) using apache headers module. First make sure the headers module is enabled. Code: # a2enmod headers Module headers already enabled If instead that says 'Enabling module headers.' then be aware you can affect existing websites, eg. sites may have .htaccess files with Header statements that were not previously in effect. With headers module enabled, create a server-wide config file (this works on debian jessie, just adjust the conf file location for other OS): Code: # cat > /etc/apache2/conf-available/httpoxy.conf <<EOF # block httpoxy - https://httpoxy.org/ <IfModule mod_headers.c> RequestHeader unset Proxy early </IfModule> EOF # a2enconf httpoxy # service apache2 reload Or if you prefer the webserver to crash if the headers module is not enabled as a failsafe, just remove the <IfModule> tags. I tested an ISPConfig box here and it was vulnerable prior to this, but not afterwards.
For Nginx servers, use these two commands: Code: echo 'fastcgi_param HTTP_PROXY "";' >> /etc/nginx/fastcgi_params service nginx restart
