[ Docs | Tools | Advisories | Full-Disclosure ]

Here is a quickly-hacked-together set of patches for mod_proxy as found in OpenBSD 3.6's httpd.
This modified proxy supports basic anonymising of content by removing User-Agent, Referer, and Accept HTTP headers by default.

This patch applies cleanly to the stock 1.3.34 Apache httpd source and has been tested under Solaris 8/Sparc in addition to an x86 OpenBSD 3.6 environment.

Configuration Directives

By default, this patch will scrub all Referer and User-Agent headers from HTTP requests passing through the Apache proxy, in addition to any header beginning with 'Accept-'.

The patch introduces three new configuration directives, AllowReferer, AllowUserAgent, and AllowAccept, which allow the administrator to whitelist sites that require this information.

These can be used as per this simple example and are similar in syntax to the NoCache directive as supplied by the stock Apache configuration API.

   <IfModule mod_proxy.c>

   # Allow this domain to receive User Agent header
   AllowUserAgent  .grok.org.uk

   # Allow this host to receive Referer header
   AllowReferer  198.175.9.70

   # Allow Accept- style headers for all hosts
   AllowAccept  *

   # Recommended
   ProxyVia  block
   </IfModule>

Patch files:

mod_proxy.c.patch [ MD5 checksum | PGP signature ]
Introduces code to handle patch-specific configuration variables.

mod_proxy.h.patch [ MD5 checksum | PGP signature ]
Defines new structures needed to handle patch functionality.

proxy_http.c.patch [ MD5 checksum | PGP signature ]
Implements per-connection scrubbing of HTTP requests.

This code has not yet been thoroughly tested! Please send feedback to <johnc@grok.org.uk> ...
NOTE: Only HTTP requests are currently inspected.