Re: [squid-users] Is this a sane (and secure) accelerator config?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 04 Feb 2009 19:26:38 +1300

Paul Dowman wrote:
> Hi,
>
> l'm setting up squid to act as a web accelerator only, it will sit at
> www.mydomain.com and forward to several web servers (which are behind
> the firewall and not publicly accessible).
>
> As I understand it, the following config forwards ALL requests to one
> of the three cache_peer web servers, including a "Host:" HTTP header,
> and there's no need for using acl's. Is that correct? Are there any
> security issues here?
>
> Thanks.
>
> ############
> http_port 80 accel vhost
> collapsed_forwarding on
> acl all src 0/0
> http_access allow all
> cache_peer 10.x.x.1 parent 80 0 no-query originserver login=PASS round-robin
> cache_peer 10.x.x.2 parent 80 0 no-query originserver login=PASS round-robin
> cache_peer 10.x.x.3 parent 80 0 no-query originserver login=PASS round-robin
> ############

The ACLs seen in accelerator config are there to prevent an overload of
bogus requests being flooded back to the web servers. I'd would
recommend listing the accelerated domains as per the FAQ example config.

There are broken client apps that don't send Host: header. The
"http_port ... defaultsite=" option is provided to fix-up such breakage
so the web servers alway get a Host:. Without it the broken requests get
through to the web servers.

Otherwise that should be fine for a pure reverse proxy.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Wed Feb 04 2009 - 06:26:31 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 04 2009 - 12:00:01 MST