sameer shinde wrote:
On Tue, Feb 17, 2009 at 1:50 AM, Chris Robertson <crobertson@xxxxxxx> wrote:
Very insecure, but...
not really....
is because, although google gives you a domain name saying mail.ourdomain.com
when you access the url, it gets redirected to mail.google.com/a/ourdomain.com
It does not permanently allow you to work on mail.ourdomain.com
Whereas the general gmail has a referral link as mail.google.com/mail
This is the key difference between the site address which one can block on.
With this it does not become insecure, as only the domain related
websites will be
accessible.
acl ourmail_referer referer_regex -i mail\.ourdomain\.com
acl gMail dstdomain .gmail.google.com
http_access allow gMail ourmail_referer
...would allow access to gmail.google.com if the referer header included the
string "mail.ourdomain.com". Be aware, this http_access rule would allow
ANYONE who can access your cache to access mail.google.com by faking the
referer.
Here as you've said ANYONE can access mail.google.com, but there it will not be.
I'll demonstrate using Squid:
acl gMail dstdomain .mail.google.com
# Deny the referer header when the destination domain is "*.mail.google.com"
header_access Referer deny gMail
# Replace the denied referer with "mail.ourdomain.com"
header_replace Referer mail.ourdomain.com
Now if I set my Squid up to use yours as a parent. I surf through my
proxy to a link to "mail.google.com". It doesn't matter where this link
is hosted, as my proxy replaces the Referer header with
"mail.ourdomain.com" and your proxy allows me through because it matched
the "http_access allow gMail ourmail_referer" on your proxy.
My example squid install is not needed (I can just fake the header
myself in a browser or a script), but it makes for an easy explanation
of the principle.
Granted, I would have to know that your proxy allows access to
mail.google.com with the correct referer, and I would need to know what
that referer is, but this is just security by obscurity, which while
useful as a layer, is not very good alone.
A much better http_access line would be...
http_access allow our_networks gMail ourmail_referer
...before the http_access rule that blocks mail.google.com. That would
still allow people inside your network to get to gmail just by faking
the header, but at least they are (hopefully) less likely to abuse your
proxy.
~~~~~~~~~~~~~~
Sameer Shinde.
M:- +91 98204 61580
Millions saw the apple fall, but Newton was the one who asked why.
Chris
