Re: [PATCH] no_append_domain_localhost.patch from Henrik Nordstrom on 2001-12-13 (squid-dev)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 13 Dec 2001 20:29:49 +0100

Note:

For security reasons, a distributed squid.conf should deny access to
localhost, at least from anywhere else than localhost. This to ensure
users cannot bounce via the proxy to access services bound to localhost
on the proxy server.

The distributed squid.conf.default does not deny access to localhost as
doing so requires DNS lookups and not all uses of Squid has DNS access,
but we do have the following lines:

acl to_localhost dst 127.0.0.0/8
[..]
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# And finally deny all other access to this proxy
http_access deny all

Regards
Henrik

Miquel van Smoorenburg wrote:
>
> According to Henrik Nordstrom:
> > Miquel van Smoorenburg wrote:
> > > Ignore append_domain setting for the string "localhost".
> > Why?
>
> So you can browse http://localhost/ through a browser.
>
> Strange as it may seem, many people run squid on their personal
> workstation because it's caching is much more efficient than the
> mozilla/netscape builtin cache, and memory is cheap these days.
> I do - it really makes a difference behind a 64kbit ISDN line.
>
> And if you have append_domain set http://localhost/
> doesn't work anymore.
>
> > Anyway, my general opinion is that append_domain should be completely
> > ripped out, replaced by a proper DNS search algorithm returning a
> > browser redirect when a FQDN is found for the requested name.
>
> I agree, it's just that this has been in the Debian squid package
> for some time since somebody had a real-life situation in which
> this was a problem.
>
> If you think it doesn't belong in squid I'll just keep it
> as a debian-specific patch until the above gets implemented in
> squid 2.6 or so ;)
>
> Mike.
> --
> I used to drive a Heisenberg mobile but every time I looked at the
> speedometer - I got lost!
Received on Thu Dec 13 2001 - 12:32:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:40 MST