[squid-users] Access restrictions for accelerator mode / hosts line?

From: Karl Pielorz <kpielorz@dont-contact.us>
Date: Tue, 11 Feb 2003 09:57:27 +0000

Hi All,

We're happily running Squid 2.5S1 under FreeBSD - and running it as an HTTP
accelerator.

I've been trying to setup the access lists very carefully to stop people
from supplying faked 'GET / HOST' lines, and effectively using the
accelerator as a proxy to fetch a page of their choice from any http server
on the net, rather than just pages from the accelerated host.

I can't seem to figure this out though - the moment I put the equivalent of
'allow any' into the http_access list [to allow any client to connect to
the proxy] - it seems Squid will quite happily go and connect outbound to
anywhere on the net as well... I found a couple of Howto's on the net - and
I have read through most the documentation I can find, but all seem to end
in the same result - a faked 'GET / HOST: somewhere.com' works, or no one
can access the accelerator.

I'm guessing this is user error - but is it possible to tell squid "Serve
requests for anyone" as well as "Squid, you may only contact the following
host to get data from"? - Everything seems to revolve around the
http_access list, and I can't get the 'mutually exclusive' feeling out of
my head.

If there is the above, is there even more optimistically a "Oh, and by the
way - make sure the request your processing only has the following hosts in
the Host: line?" - or would that have to be handled purely by the
redirector?

Regards,

-Karl Pielorz
Received on Tue Feb 11 2003 - 02:57:11 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:18 MST