lists@xxxxxxxxxxxx wrote:
You definitely have a fully open proxy configured for anyone who can send
packets to it. Also the firewall itself intercepts and sends stuff into
the proxy.
Yes, I've not had much time to learn it yet, I just needed to get it running for a quick satellite demo so simply opened a port 80 hole in the firewall for traffic and created a basic config.
http_access allow accel_hosts
http_access allow manager localhost
http_access deny manager
http_access allow all
The line above permits anyone who can send a packet to your proxy to use
it as a relay for any purpose they like.
The restrictions above it are not denying anything except cache_mgr://
protocol. So there is no protection inside Squid.
The default config is safe if you set localnet to you internal IPs only:
I actually need to allow public connections since we don't know which machines are actually connecting for the testing.
http_access allow all
I kind of figured that this might be a hole but I was not able to find out what I should build as a config in time. I needed and need to have this working as part of a demo, then later will have time to get back to it and learn more about it.
What version of squid are you on?
Whats the purpose of these? and what traffic are they catching?
http_port 80 transparent
http_port 443 transparent
It's version 2.6.
With the tiny amount of knowledge I gathered up, I put a config together which would allow public connections to a server on the network. The trial was showing off a website which was designed for satellite users so we used the proxy to speed things up a bit.
The port 80/443 variables, I thought, were meant to allow traffic to come in on those ports but transparently since the users are any public user.
Mike
Ah. Gottcha. You are wanting a reverse proxy.
http://wiki.squid-cache.org/SquidFaq/ReverseProxy
contains a usable config for accelerating a hidden web server securely.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.2
