Re: [squid-users] my squid used by someone's proxy server.

From: Amos Jeffries <squid3@dont-contact.us>
Date: Fri, 9 Nov 2007 15:02:17 +1300 (NZDT)

> Hello Squid users.
>
> I am using squid for server accelerator.
>
> But my squid server used by someone's transparent proxy.
> (My server IP address listed by
> http://www.proxy-list.net/transparent-proxy-lists.shtml )
> Also listed by google link (PROXY LISTS - Free Anonymous Proxies and Proxy
> Tools)
>
> Is It possible?

Yes of course. This lists are usually tested automatically.

> Plz help on my squid.conf ( for reverse proxy)
> --------------------------------------------------------
> http_port 80 vhost
> icp_port 0
> cache_peer 111.111.111.1 parent 80 0 no-query originserver no-digest
> cache_peer_domain 111.111.111.1 www.abc.com
> hierarchy_stoplist cgi-bin ?

> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY

You may find this slows your accelerated/HIT rate from a cache-friendly
webserver with dynamic content.

> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8

You can kill any unused acl such as to_localhost.

> acl purge method PURGE
> acl CONNECT method CONNECT
> acl port80 port 80
>
> http_access allow port80

There is the problem.
 ANYBODY is allowed to access WWW through your server.
 Also, your proxy is acting as an open free CDN for anyone who wants to
point their domain name at you.

> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> --------------------------------------------------------
>
> And I checked my squid logs.
> (cd /var/log/squid ; grep -v abc.com access.log* | grep -v 503 | grep -v
> TCP_DENIED)
>
> I found that my squid server (server accelerator) used by someone's proxy
> server.

Not just someone else's server. Someone else. Anyone else anywhere. You
are providing free www access.

>
> (219.136.189.213 - - [08/Nov/2007:15:30:35 +0900] "GET
> http://www.baidu.com/ HTTP/1.0" 200 4082 "-" "-" TCP_REFRESH)
>
> How can I block it ?
>

Check you using a recent squid2.6+ release.

Create a cache_peer line for each of the source webservers:

  cache_peer 111.111.111.1 parent 80 0 no-query no-digest
no-netdb-exchange originserver name=abc

Create an ACL which lists the domains you are accelerating.
I seriously HOPE you are not admin of abc.com,
 but if you are; you have seriously f*&^d the company, well done :)

   acl sitesHosted dstdomain www.abc.com

Use it to redirect the sites to the peer:

  cache_peer_access abc allow sitesHosted
  cache_peer_access abc deny all

Restrict the www access to only the sites you are hosting or from localhost:

  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow sitesHosted
  http_access allow localhost
  http_access allow manager localhost
  http_access allow purge localhost
  http_access deny all
  http_reply_access allow all

Prevent anyone outside from requesting a site you can't get from the host
servers.

  never_direct allow !localhost

Amos
Received on Thu Nov 08 2007 - 19:02:20 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST