Search squid archive

Re: maxconn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18/12/10 04:35, Jason Greene wrote:
On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx>  wrote:
On 17/12/10 10:38, Jason Greene wrote:

I m trying to close a security hole


I want to use maxconn on ALL IPs

acl limitusercon maxconn 3
http_access deny all limitusercon

Testing the "all" there is not useful. That should be just:

  http_access deny limitusercon

... making sure its placed at the top of your access controls so nothing
doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports"
should do.

Thanks, I'll try this out.



But it doesn't seem to work and the hole still appears on a scan.

What hole?


HTTP Proxy CONNECT Loop DoS


If that is what I think it is you are missing the default "deny CONNECT !SSL_Ports" or have opened SSL_Ports too wide.
Due to:
 - the proxy listening ports are not SSL/CONNECT safe ports.
- port 443 listening is reverse-proxy territory + reverse proxy must not accept CONNECT requests (older squid releases allowed it wrongly).

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.9
  Beta testers wanted for 3.2.0.3


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux