On Wed, 18 May 2011 01:24:39 +0200, Cedric Lor wrote:
> Hi
>
> I'm running squid Version 2.7.STABLE9 on a FreeBSD.
>
> I have only one external IP. I'm trying to set up squid so that it
> would be running on a single port in accel mode and in foward proxy
> mode.
This is *highly* unsafe. It opens your network to poisoning attacks as
outlined in CVE-2009-0801
Use two http_port's. One for forward and one for reverse traffic.
>
> The idea is to be able to access other services via the Connect
> method on the server, for instances ssh, in order to carry out
> maintenance work on the server as necessary while serving, on a
> backend server on the loopback. I use proxytunnel on a client machine
> to send Connect method and establish a tunnel through Squid to the
> local interface.
>
> When I configure Squid in pure forward proxy, Squid connects to port
> 22 works seemlessly.
>
> However, when I configure Squid to combine reverse and forward, my
> client gets the following answer upon connection with Squid: HTTP
> return code: 400 Bad Request
CONNECT is illegal method in reverse-proxy traffic. The URL provided is
incomplete and cannot be used by a reverse-proxy to reconstruct an HTTP
request. This is particularly bad when the protocol inside CONNECT is
not HTTP anyway.
>
> I've done this in the past with an Apache server (ProxyRequest On
> together with a ProxyPass command) so I'm pretty sure Squid should
> let
> me do it. But I could not find any configuration exemple, whether on
> Squid's site or on the internet.
mod_proxy operates like a Squid URL re-writer. All the same behaviour
and problems.
<snip>
> - Squid:
> ---------------------------------------------------------
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.1/32
Change:
acl to_localhost dst 127.0.0.1/32 0.0.0.0/0
> acl to_all dst all
>
> acl SSL_ports port 80 22
>
> acl Safe_ports port 80 # http
> acl Safe_ports port 22 # ssh
>
> acl CONNECT method CONNECT
> ---------------------------------------------------------
> http_access allow manager localhost
> http_access deny manager
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow to_localhost Safe_ports
to_localhost is customized to prevent malicious DNS entries allowing
attacks to bypass security.
The intended use is:
http_access deny to_localhost
Since you seem not to want that. Remove it completely.
>
> http_access allow localhost
Change that:
http-access allow localhost CONNECT
>
> ################################
NOTE: highlighted comment #1 in the documentation is...
* This configuration MUST appear at the top of squid.conf above any
other forward-proxy configuration ...
Do that.
> acl our_sites dstdomain www.mysite.com
> http_access allow our_sites
> cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
> cache_peer_access myAccel allow our_sites
> ################################
>
> http_access deny all !to_localhost
Change:
http_access deny all
> ---------------------------------------------------------
> icp_access allow localnet
> icp_access deny all
>
> ---------------------------------------------------------
> http_port X.X.X.X:80 accel defaultsite=www.mysite.com
Amos
Received on Wed May 18 2011 - 02:25:30 MDT
This archive was generated by hypermail 2.2.0 : Wed May 18 2011 - 12:00:19 MDT