[squid-users] Transparent proxy - security hole?

From: Michael Carmack <karmak@dont-contact.us>
Date: Tue, 13 Nov 2001 19:49:01 +0000

Would someone mind explaining the security hole that's mentioned in
squid.conf under the httpd_accel_uses_host_header tag. I've set up a
transparent proxy on a machine that is currently acting as a router
and a webserver for my home network, but the bit about "it opens a big
security hole" is causing a bit of concern.

FWIW, I do _not_ wish to cache outgoing data from the local webserver;
I only intend for Squid to be used to cache incoming data. The parameters
as I've set them are:

http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

This is on Linux 2.4, using iptables to redirect incoming port 80 requests
to the Squid port. I'm not entirely clear on why I need to turn on the
httpd accelerator options, as I do not wish to cache outgoing data, but
they certainly seem to be necessary. Without them, transparent proxying
simply doesn't work.

So I suppose that's two questions:

(1) What exactly is the security hole, and is it something I need be
concerned with given this scenario?

(2) Why do I need to run in accelerator at all?

And here's a third question for good measure :)

(3) Is it possible to set up transparent proxy on a _single_ machine?
That is, in addition to having a cache running on the router, is it
possible to run Squid transparently on my workstation. On the router,
the iptables command looks like:

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
             -j REDIRECT --to-port 3128

My original (naive) approach was to do the following on the workstation:

    iptables -t nat -A OUTPUT -p tcp --dport 80 \
             -j REDIRECT --to-port 3128

But of course that just creates a loop :) So is there some other magic
one can perform to accomplish this?

Received on Tue Nov 13 2001 - 12:49:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:10 MST