Re: [squid-users] Someone's using my cache? from Amos Jeffries on 2008-11-11 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 12 Nov 2008 18:44:00 +1300

lists_at_grounded.net wrote:
>> You definitely have a fully open proxy configured for anyone who can send
>> packets to it. Also the firewall itself intercepts and sends stuff into
>> the proxy.
>
> Yes, I've not had much time to learn it yet, I just needed to get it running for a quick satellite demo so simply opened a port 80 hole in the firewall for traffic and created a basic config.
>
>>> http_access allow accel_hosts
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access allow all
>>>
>> The line above permits anyone who can send a packet to your proxy to use
>> it as a relay for any purpose they like.
>> The restrictions above it are not denying anything except cache_mgr://
>> protocol. So there is no protection inside Squid.
>> The default config is safe if you set localnet to you internal IPs only:
>
> I actually need to allow public connections since we don't know which machines are actually connecting for the testing.
>
>>> http_access allow all
>
> I kind of figured that this might be a hole but I was not able to find out what I should build as a config in time. I needed and need to have this working as part of a demo, then later will have time to get back to it and learn more about it.
>
>> What version of squid are you on?
>> Whats the purpose of these? and what traffic are they catching?
>> http_port 80 transparent
>> http_port 443 transparent
>
> It's version 2.6.
>
> With the tiny amount of knowledge I gathered up, I put a config together which would allow public connections to a server on the network. The trial was showing off a website which was designed for satellite users so we used the proxy to speed things up a bit.
>
> The port 80/443 variables, I thought, were meant to allow traffic to come in on those ports but transparently since the users are any public user.
>
> Mike
>

Ah. Gottcha. You are wanting a reverse proxy.

http://wiki.squid-cache.org/SquidFaq/ReverseProxy
contains a usable config for accelerating a hidden web server securely.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.2

Received on Wed Nov 12 2008 - 05:44:05 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 12 2008 - 12:00:03 MST