On Mon, 20 Jun 2011 11:32:27 -0500, Brent Norris wrote:
> I am running squid-3.1.11-1 and it keeps locking up on me. When I
> then tell squid to restart using the init.d scripts it floods the
> logs
> with messages like this:
>
> 1308587241.668 24741 10.76.16.15 TCP_MISS/502 74187 GET
> http://10.76.16.15:8089/array.dll? - DIRECT/10.76.16.15 text/html
>
> which the squid machines ip address is 10.76.16.15
>
> I was experiencing this behavior in any release prior to 3.1 and I am
> still using my config from those prior versions, but I have looked at
> the default config that comes with the package and I didn't see
> anything that stood out as the reason it would be doing this.
>
> Can anyone give me a clue to what I need to look at? I would like to
> stay up on these newer versions but I can't get around this error.
>
> Brent
Malware causing forwarding loops. access.log entries only occur *after*
the completion of a request.
This vulnerability is a side effect of removing the HTTP protocol Via:
header. You can catch such requests early by erasing the "via" or
"x_forwarded_for" from your 3.1 config. The defaults are to use loop
protection.
If this is an interception proxy make sure you also have firewall
protection preventing visitors from directly connecting to the squid
listening NAT/"intercept" port.
Or, you can use the "deny to_localhost" security access control next to
your "deny !Safe_ports" one. You may need to add the Squid box public IP
to the list of prohibited localhost IPs.
Amos
Received on Tue Jun 21 2011 - 00:30:23 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 21 2011 - 12:00:02 MDT