On 5/09/2013 5:15 p.m., PSA4444 wrote:
> Hi Amos,
>
> We did not get a solution to this yet.
>
> The work around has been to disable http (port 80) and only run https (port
> 443) with a firewall in front of the proxy server. This blocked out 100% of
> these requests for now but I will need to re-enable it later.
>
> How can I disable this open-proxy relaying?
>
> Config:
>
> ###
>
> visible_hostname domain.com
>
>
> https_port 443 accel cert=/usr/newrprgate/CertAuth/cert.cert
> key=/usr/newrprgate/CertAuth/key.pem vhost defaultsite=www.domain.com
>
> sslproxy_flags DONT_VERIFY_PEER
NOTE:
This flag is supported so that forward-proxyand interception proxy
administrators can avoid having to register unlimited numbers of
volatile self-signed CA for all the Internet websites their users encounter.
There should be no reason for it to be used in accelerator proxies -
even with the backend server certificate(s) self-signed. The proxy just
needs to be configured with the CA certificate(s) necessary to validate
the upstream server. Since this is an accelerator the proxy the backends
should be a well-defined set with the CA they require easily managed and
configured.
The same thing goes for the sslflags=DONT_VERIFY_PEER on cache_peer
lines. I have yet to see any reason beyond laziness for that cache_peer
flag to be used since this is always a specific peer server with easily
knowable CA. Doing SSL validation to the peers will help detect and
prevent unexpected internal machines from being able to hijack the
traffic, with auto-configuration on the network that is an important
protection.
> forwarded_for on
>
> #Cache Peer 1
> cache_peer one.domain.com parent 443 0 no-query originserver ssl
> sslversion=3 connect-timeout=8 connect-fail-limit=2
> sslflags=DONT_VERIFY_PEER front-end-https=on name=one login=PASSTHRU
> acl sites_one dstdomain one.domain.com
> cache_peer_access one allow sites_one
> acl http proto http
> acl https proto https
>
>
> #Cache Peer 2
> cache_peer two.domain.com parent 443 0 no-query originserver ssl
> sslversion=3 connect-timeout=8 connect-fail-limit=2
> sslflags=DONT_VERIFY_PEER front-end-https=on name=two login=PASSTHRU
> acl sites_two dstdomain two.domain.com
> cache_peer_access two allow sites_two
> acl http proto http
> acl https proto https
>
Since you already hasve sites one and sites_two configured for the
cache_peer_access directives. They should be re-used in http_access
allow lines to permit only the accelerated sites to be requested through
the proxy.
Like so:
http_access allow sites_one
http_access allow sites_two
http_access deny all
This resolves the open-proxy part and also enables Squid to handle a
higher traffic load when DoS'ed with garbage-domain requests.
> http_access allow all
>
> header_replace Vary Accept-Encoding
> request_header_access All allow all
You do not seem to have any header 'deny' rule for header_replace to
work from - so it will do nothing.
"request_header_access All allow all" is the default. You can avoid CPU
cycles processing requests through the header mangling component by
removing these completely from the config.
Amos
Received on Thu Sep 05 2013 - 07:30:21 MDT
This archive was generated by hypermail 2.2.0 : Thu Sep 05 2013 - 12:00:04 MDT