Search squid archive

Re: Detecting and blocking child proxy servers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 25 July 2007 14:42, Tek Bahadur Limbu wrote:
> Juraj Sakala wrote:
> > On Tuesday 24 July 2007 12:56, Tek Bahadur Limbu wrote:
> >> Is this possible? In other words, I want my proxy servers to detect
> >> squid or other proxy severs which are being used or operated by others
> >> besides me.
> >
> > May it is bepossible:
> > - if you know your network you can use header x_forwarded_for to detect
> > unknown networks.
> > - if you wont to allow only your proxy servers use http_access directive
> > with acl which contains only your proxy's
> > - try something like this:
> > 	acl  myproxy req_header Via MyProxy
> > 	http_access allow myproxy
> > 	http_access deny all
> > - use authentication
>
> Hi Juraj,
>
> Thanks for sharing your tips.
>
> Suppose I have the following:
>
> acl myproxy req_header Via 192.168.100.0/24
> http_access allow myproxy
> http_access deny all

It was only tip. I am not sure, but i think squid puts in this header his 
visible hostname and port in format 1.1 <vysible_hostname>:<port>. So if 
someone use Squid in default configuration you can block it easily. But it 
is true, that headers are easily spoofable

> Now if I use this, my normal clients (192.168.101.0/24) won't be able to
> access my proxy server right?

There is question if normal client sends Via header in request, I am sure that 
not.

So we need acl that permits requists from our proxy's with correct Via header 
or clients with no header and denies all other requests.

It will be hard, maybe external acl will be useful.

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux