canonical fqdn & proxy hacking

From: Laurent FACQ <>
Date: Wed, 6 Nov 96 15:57:36 WET

        * Using squid 1.1.beta10, i found that url like
        and ^^^

        (with or without a final point) was considered different

        i think it could be a good thing to choose one form and
        convert all url to that form.


        * To prevent hackers to trick our cache to connect on
        unwanted service ports (especially for the gopher case)
        i've set up this (laborious) rule :

        acl badports url_regex ^[a-z]+://[^:/]+:(0.*|[0-9]|[01234569][0-9]|[0-9][0-9][0-9]|10[012][0-9]|6[0-9][0-9][0-9][0-9].*)[^0-9]

        http_access deny badports

        -> this prevent connection on reserved ports except ports from 70 to 89
        -> 0.* should not be necessary because it seems that heading 0 are removed from port num.
        -> ports over 60000 (should be 65535 but...) are blocked (to avoid wrap around)

        I think this is not an optimal way of doing it, but it's first a step.

        May be this problem could be adressed by a specific configuration option
        to avoid this slow and awfull regex matching.

        comments welcome !


Laurent FACQ - ( - Reseau REAUMUR / Bordeaux
Received on Wed Nov 06 1996 - 07:01:24 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:29 MST