Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address from Amos Jeffries on 2009-08-16 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 16 Aug 2009 19:17:30 +1200

Henrik Nordstrom wrote:
> sön 2009-08-16 klockan 18:20 +1200 skrev Amos Jeffries:
>> Henrik Nordstrom wrote:
>>> ------------------------------------------------------------
>>> revno: 9907
>>> committer: Henrik Nordstrom <henrik_at_henriknordstrom.net>
>>> branch nick: trunk
>>> timestamp: Sat 2009-08-15 14:56:39 +0200
>>> message:
>>> Add 0.0.0.0 as an to_localhost address
>>>
>>> Many TCP/IP(v4) stacks aliases 0.0.0.0 as 127.0.0.1.
>>> modified:
>>> src/cf.data.pre
>>>
>> Can you clue me in on this one please Henrik?
>
> See the note next to where to_localhost is used:
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> #http_access deny to_localhost
>
>> Why/What broken remote external clients are sending the reserved
>> ANY_ADDR as the public global-scope destination? This seems to me akin
>> to connecting a remote servers port 0.
>
> Any client requesting a host that resolves to 0.0.0.0 or that IP
> explicitly.
>
>> Side-note: How can we expect wildcard port bindings to work on those
>> machines when the ANY_ADDR (wildcard) IP is aliased to localhost-only?
>
> Not sure what you see as a problem.
>
> connect(0.0.0.0:80)
> and
> connect(127.0.0.1:80)
>
> is the same thing on many OS:es for stupid historic reasons.

Aha. Just connect() then? not really bind() or listen()?

I'm thinking that aliasing has already been done before Squid gets such
packets at the 'other end'. So that we only see the real localhost IP if
its intercepted. Right?

Problem might be DNS on forward proxy traffic, but thats validated out
of existence to a NXDOMAIN.

Leaving only hosts file entries. I know 0.0.0.0 is used to boganize
domain names at times. Because it doesn't resolve!

>
> and this acl is for blocking clients trying to make the proxy connect to
> 127.0.0.1.

Ah, In the last year or so of checking peoples configs I've seen that
ACL used more for _allowing_ localhost access. For example; to allow
public access to squid-cgi, apache, other squid agents on the same server.

For the intended use of the ACL as you highlight, yes I agree it's a
good change. It may not be good for the reality situation though.

What about a bogons ACL for less confusion?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13

Received on Sun Aug 16 2009 - 07:17:38 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 16 2009 - 12:00:08 MDT