> Hello Squid users. > > I am using squid for server accelerator. > > But my squid server used by someone's transparent proxy. > (My server IP address listed by > http://www.proxy-list.net/transparent-proxy-lists.shtml ) > Also listed by google link (PROXY LISTS - Free Anonymous Proxies and Proxy > Tools) > > Is It possible? Yes of course. This lists are usually tested automatically. > Plz help on my squid.conf ( for reverse proxy) > -------------------------------------------------------- > http_port 80 vhost > icp_port 0 > cache_peer 111.111.111.1 parent 80 0 no-query originserver no-digest > cache_peer_domain 111.111.111.1 www.abc.com > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > cache deny QUERY You may find this slows your accelerated/HIT rate from a cache-friendly webserver with dynamic content. > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 You can kill any unused acl such as to_localhost. > acl purge method PURGE > acl CONNECT method CONNECT > acl port80 port 80 > > http_access allow port80 There is the problem. ANYBODY is allowed to access WWW through your server. Also, your proxy is acting as an open free CDN for anyone who wants to point their domain name at you. > http_access allow manager localhost > http_access deny manager > http_access allow purge localhost > http_access deny purge > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost > http_access deny all > http_reply_access allow all > -------------------------------------------------------- > > And I checked my squid logs. > (cd /var/log/squid ; grep -v abc.com access.log* | grep -v 503 | grep -v > TCP_DENIED) > > I found that my squid server (server accelerator) used by someone's proxy > server. Not just someone else's server. Someone else. Anyone else anywhere. You are providing free www access. > > (219.136.189.213 - - [08/Nov/2007:15:30:35 +0900] "GET > http://www.baidu.com/ HTTP/1.0" 200 4082 "-" "-" TCP_REFRESH) > > How can I block it ? > Check you using a recent squid2.6+ release. Create a cache_peer line for each of the source webservers: cache_peer 111.111.111.1 parent 80 0 no-query no-digest no-netdb-exchange originserver name=abc Create an ACL which lists the domains you are accelerating. I seriously HOPE you are not admin of abc.com, but if you are; you have seriously f*&^d the company, well done :) acl sitesHosted dstdomain www.abc.com Use it to redirect the sites to the peer: cache_peer_access abc allow sitesHosted cache_peer_access abc deny all Restrict the www access to only the sites you are hosting or from localhost: http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow sitesHosted http_access allow localhost http_access allow manager localhost http_access allow purge localhost http_access deny all http_reply_access allow all Prevent anyone outside from requesting a site you can't get from the host servers. never_direct allow !localhost Amos