howard chen wrote:
Hi all,
I am not sure if anyone think about this before.
Consider a traditional setup for today web applications:
User <==> Squid(s) <==> Apache(s) <==> MySQL / Memcached / NFS
Currently I have mod_security installed on every Apache to prevent
attacks such as SQL Injection, XSS ect.
Sure, as a web application firewall, you would need more features then
mod_security currently provided, e.g.
1. rate-limiting, e.g. limit your user from accessing register.cgi for
not more than 1 time per minutes (against spam or application level
DOS)
2. Block user by IP, subnet
3. Block by request header, e.g. UA, cookie
Of course I am not going to ask to merge all this features into squid,
but I want to ask if it is feasible to develop all these feature as a
external program, and squid will pass the needed info to a program
similar to a redirector (or maybe just using redirector concept).
I am just not sure if it is suitable to perform all these actions at
squid layer.
Most of them are suitable and already available. We call the Access
Controls:
http://www.squid-cache.org/Versions/v2/2.7/cfgman/acl.html
http://www.squid-cache.org/Versions/v3/3.0/cfgman/acl.html
and they can be applied to permit or limit most of Squid operations,
Protocols, and components.
Amos
--
Please use Squid 2.7.STABLE2 or 3.0.STABLE6
