Re: [squid-users] bungled reverse proxy config: open proxy

Craig Skinner wrote:
> Hi there,
>
> Being the Squid reverse newbie that I am, I have configured an open
> reverse proxy :-(
>
>
> From an offsite shell account:
>
> $ telnet my-server....
> Trying 8....
> Connected to .....
> Escape character is '^]'.
> GET http://www.squid-cache.org HTTP/1.0
>
> HTTP/1.0 200 OK
>
>
> and in access.log:
>
>
> 1170713839.523 1345 212.20.230.11 TCP_MISS/200 6368 GET http://www.squid-cache.org - DIRECT/12.160.37.9 text/html
> 1170713895.037 126 212.20.230.11 TCP_MEM_HIT/200 6376 GET http://www.squid-cache.org - NONE/- text/html
>
>
> Well, at least I got it working as a reverse proxy in front of a single
> apache host with a few virtual domain websites......
>
>
> I followed the reverse white paper at
> http://www.visolve.com/squid/whitepapers/reverseproxy.php
>
> Config is:
>
> $ fgrep -v \# /etc/squid/squid.conf | grep -v ^$
> http_port localhost:3128
> http_port twig.birch:3128
> http_port branch.birch:80
> cache_dir ufs /var/squid/cache 400 16 256
> ftp_list_width 80
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl CONNECT method CONNECT
> acl accel_host dst 192.168.186.20/255.255.255.255
> acl accel_port port 80
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny to_localhost
>
http_access allow accel_host
http_access deny all
# That makes the following line useless. Drop it for clarity.
> http_access allow all
> http_reply_access allow all
> httpd_accel_host 192.168.186.20
> httpd_accel_single_host on
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> strip_query_terms off
> coredump_dir /var/squid/cache
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND
>
>
>
> I think I need to get the http_access items tightened up (according to
> the white paper), what links do I need to refer to? Thanks.
>
> I've shut down squid until I make it secure.
>

Chris
Received on Mon Feb 05 2007 - 16:15:17 MST