Apache mod_proxy Anonymity Patches

A small set of patches to add basic HTTP header anonymisation support to Apache’s mod_proxy.

Here is a quickly hacked-together set of patches for mod_proxy as found in OpenBSD 3.6’s httpd. This modified proxy supports basic anonymising of content by removing User-Agent, Referer, and Accept HTTP headers by default.

This patch applies cleanly to the stock Apache 1.3.34 source and has been tested under Solaris 8 (SPARC) as well as OpenBSD 3.6 on x86.

Configuration Directives

By default, the patch scrubs all Referer and User-Agent headers from HTTP requests passing through the Apache proxy, in addition to any header beginning with Accept-.

Three new configuration directives are introduced: AllowReferer, AllowUserAgent, and AllowAccept. These allow the administrator to whitelist sites that require this information.

The syntax is similar to the standard Apache NoCache directive. A simple example is shown below:

<IfModule mod_proxy.c>

# Allow this domain to receive User-Agent header
AllowUserAgent  .grok.org.uk

# Allow this host to receive Referer header
AllowReferer  198.175.9.70

# Allow Accept-* headers for all hosts
AllowAccept  *

# Recommended
ProxyVia  block

</IfModule>

Patch Files

mod_proxy.c.patch [ MD5 checksum | PGP signature ]
Introduces code to handle patch-specific configuration variables.

mod_proxy.h.patch [ MD5 checksum | PGP signature ]
Defines new structures needed to handle patch functionality.

proxy_http.c.patch [ MD5 checksum | PGP signature ]
Implements per-connection scrubbing of HTTP requests.

Note: This code has not been thoroughly tested. Only HTTP requests are currently inspected.

John Cartwright <johnc@grok.org.uk>