On 18/12/10 04:35, Jason Greene wrote:
On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote:
On 17/12/10 10:38, Jason Greene wrote:
I m trying to close a security hole
I want to use maxconn on ALL IPs
acl limitusercon maxconn 3
http_access deny all limitusercon
Testing the "all" there is not useful. That should be just:
http_access deny limitusercon
... making sure its placed at the top of your access controls so nothing
doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports"
should do.
Thanks, I'll try this out.
But it doesn't seem to work and the hole still appears on a scan.
What hole?
HTTP Proxy CONNECT Loop DoS
If that is what I think it is you are missing the default "deny CONNECT
!SSL_Ports" or have opened SSL_Ports too wide.
Due to:
- the proxy listening ports are not SSL/CONNECT safe ports.
- port 443 listening is reverse-proxy territory + reverse proxy must
not accept CONNECT requests (older squid releases allowed it wrongly).
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.3
