[squid-users] Re: Proxy Security Issue

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 29 Jan 2002 20:55:29 +0100

From your post it is unclear if you are using Squid as a normal proxy
or as a reverse-proxy/accelerator. But from the fact that you mention
httpd_accel_with_proxy I assume it is a reverse-proxy.

If you enable httpd_accel_with_proxy then Squid will act as a proxy,
and it is then important that you configure proper access controls to
limit who may access what, so is also the case if you enable
httpd_accel_uses_host_header.

In fact, any configuration except the simple accelerator of a single
domain using only "httpd_accel_host your.backend.server" requires
access controls to be properly configured, and even then it is
strongly recommended to have good access controls set up to not run
into the problem later when expanding the configuration.

Typical access controls for an reverse-proxy/accelerator:

acl my_servers dst your.server.ip.addresses...
acl http protocol http
acl port80 port 80

http_access allow http port80 my_servers

Typical access controls for a proxy:

acl my_networks src your.client.network/netmask ...
http_access allow my_networks

Insert these where told to in the default configuration. Do NOT erase
the existing access control rules as those are there to prevent other
forms of abuse.

If you are using the same Squid as both accelerator and proxy then
insert both blocks of rules.

Regards
Henrik Nordström
MARA Systems AB

On Tuesday 29 January 2002 19.16, Kent, Mr. John wrote:
> Greetings,
>
> This may be old news to most, and it may have been discussed
> heavily in documentation and FAQs, never-the-less I got caught, and
> am sharing my error with the rest of the Squid community.
>
> I had set
>
> httpd_accel_with_proxy to on
>
> We were then used as a redirect to pornographic sites by someone in
> China.
>
> Setting the above to off stopped the abuse.
>
> From my security officer "Clever proxy tricks are one of the
> hottest current topics in the BlackHat
> community. The reason being if they can do reconnaissance or even
> attacks via a proxy, their true source IP is obfuscated.
> In the past, when they decide to attack, it had to be from a system
> they were
> willing to give up because the attack would be traced back and the
> compromise
> of the attacking system will be revealed. All this proxy stuff is
> intended to conserve their "resources"...
>
> John Kent
> Webmaster
> Naval Research Laboratory
> Monterey, California
Received on Tue Jan 29 2002 - 12:55:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:05:59 MST