Re: [squid-users] Someone's using my cache?

From: Amos Jeffries <>
Date: Wed, 12 Nov 2008 14:13:38 +1300 (NZDT)

> New user of squid. Used it many years ago but things have changes. I set
> up a proxy recently then forgot about it as I had other jobs to take care
> of. Seems I left it running but only had a couple of sites with IPs to the
> cache for testing.
> Yesterday, I wanted to get back to the cache and saw a great deal of
> traffic I/O on the cache but the weird part was that none of it was for or
> on my network. It looked like I've been used as some sort of payment
> gateway for a short while :).
> Anyhow, I do have firewall security in place, there was no compromise of
> the server itself so how in the heck was this happening? I kept the logs
> but being new to squid, means nothing to me just yet.

You definitely have a fully open proxy configured for anyone who can send
packets to it. Also the firewall itself intercepts and sends stuff into
the proxy.

It may be another internal machine or the firewall has been compromised.
Or, it may also be valid usage by someone else which the firewall is
sending through you as part of the interception.

> Here is my very basic setup file, maybe it's something silly I did, like
> the last line that says let anyone in. I would appreciate input on this,
> thanks very much.
> Mike

> http_port 80 transparent
> http_port 443 transparent
> acl all src
> acl Safe_ports port 80 443
> acl manager proto cache_object
> acl localhost src
> acl accel_hosts dst
> http_access allow accel_hosts
> http_access allow manager localhost
> http_access deny manager
> http_access allow all

The line above permits anyone who can send a packet to your proxy to use
it as a relay for any purpose they like.
The restrictions above it are not denying anything except cache_mgr://
protocol. So there is no protection inside Squid.

The default config is safe if you set localnet to you internal IPs only:

  # RFC 1918: Possible Private Internal networks
  acl localnet src
  acl localnet src
  acl localnet src

  http_access allow manager localhost
  http_access deny manager
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localnet
  http_access deny all

Just two things to re-think.

What version of squid are you on?
Whats the purpose of these? and what traffic are they catching?
  http_port 80 transparent
  http_port 443 transparent

Received on Wed Nov 12 2008 - 01:13:44 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 18 2008 - 12:00:03 MST