Search squid archive

Re: bungled reverse proxy config: open proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Craig Skinner wrote:

Hi there,

Being the Squid reverse newbie that I am, I have configured an open
reverse proxy :-(


From an offsite shell account:

$ telnet my-server....
Trying 8....
Connected to .....
Escape character is '^]'.
GET http://www.squid-cache.org HTTP/1.0

HTTP/1.0 200 OK


and in access.log:


1170713839.523   1345 212.20.230.11 TCP_MISS/200 6368 GET http://www.squid-cache.org - DIRECT/12.160.37.9 text/html
1170713895.037    126 212.20.230.11 TCP_MEM_HIT/200 6376 GET http://www.squid-cache.org - NONE/- text/html


Well, at least I got it working as a reverse proxy in front of a single
apache host with a few virtual domain websites......


I followed the reverse white paper at
http://www.visolve.com/squid/whitepapers/reverseproxy.php

Config is:

$ fgrep -v \# /etc/squid/squid.conf | grep -v ^$
http_port localhost:3128
http_port twig.birch:3128
http_port branch.birch:80
cache_dir ufs /var/squid/cache 400 16 256
ftp_list_width 80
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl accel_host dst 192.168.186.20/255.255.255.255
acl accel_port port 80
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost

http_access allow accel_host
http_access deny all
# That makes the following line useless.  Drop it for clarity.

http_access allow all
http_reply_access allow all
httpd_accel_host 192.168.186.20
httpd_accel_single_host on
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
strip_query_terms off
coredump_dir /var/squid/cache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND



I think I need to get the http_access items tightened up (according to
the white paper), what links do I need to refer to? Thanks.

I've shut down squid until I make it secure.


Chris
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux