httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy.
:: Microsoft IIS with PHP or a CGI framework :: :: For detailed information about mitigating httpoxy on IIS, you should head to the :: official Microsoft article KB3179800, which covers the below mitigations in :: greater detail. :: :: Also important to know: httpoxy does not affect any Microsoft Web Frameworks, :: e.g. not ASP.NET nor Active Server Pages. But if you have installed PHP or any :: other third party framework on top of IIS, we recommend applying mitigation :: steps to protect from httpoxy attacks. You can either block requests containing :: a Proxy header, or clear the header. (The header is safe to block, because :: browsers will not generally send it at all). :: :: To block requests that contain a Proxy header (the preferred solution), run the :: following command line. %systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='proxy',sizelimit='0']