[squid-users] bungled reverse proxy config: open proxy from Craig Skinner on 2007-02-05 (squid-users)

From: Craig Skinner <craig.skinner@dont-contact.us>
Date: Mon, 5 Feb 2007 22:37:15 +0000

Hi there,

Being the Squid reverse newbie that I am, I have configured an open
reverse proxy :-(

From an offsite shell account:

$ telnet my-server....
Trying 8....
Connected to .....
Escape character is '^]'.
GET http://www.squid-cache.org HTTP/1.0

HTTP/1.0 200 OK

and in access.log:

1170713839.523 1345 212.20.230.11 TCP_MISS/200 6368 GET http://www.squid-cache.org - DIRECT/12.160.37.9 text/html
1170713895.037 126 212.20.230.11 TCP_MEM_HIT/200 6376 GET http://www.squid-cache.org - NONE/- text/html

Well, at least I got it working as a reverse proxy in front of a single
apache host with a few virtual domain websites......

I followed the reverse white paper at
http://www.visolve.com/squid/whitepapers/reverseproxy.php

Config is:

$ fgrep -v \# /etc/squid/squid.conf | grep -v ^$
http_port localhost:3128
http_port twig.birch:3128
http_port branch.birch:80
cache_dir ufs /var/squid/cache 400 16 256
ftp_list_width 80
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl accel_host dst 192.168.186.20/255.255.255.255
acl accel_port port 80
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow all
http_reply_access allow all
httpd_accel_host 192.168.186.20
httpd_accel_single_host on
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
strip_query_terms off
coredump_dir /var/squid/cache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND

I think I need to get the http_access items tightened up (according to
the white paper), what links do I need to refer to? Thanks.

I've shut down squid until I make it secure.

-- 
Craig Skinner | http://www.kepax.co.uk | aye-right@kepax.co.uk

Received on Mon Feb 05 2007 - 15:37:24 MST

This archive was generated by hypermail pre-2.1.9 : Thu Mar 01 2007 - 12:00:01 MST