On Wed, 18 May 2011 01:24:39 +0200, Cedric Lor wrote:
Hi
I'm running squid Version 2.7.STABLE9 on a FreeBSD.
I have only one external IP. I'm trying to set up squid so that it
would be running on a single port in accel mode and in foward proxy
mode.
This is *highly* unsafe. It opens your network to poisoning attacks as
outlined in CVE-2009-0801
Use two http_port's. One for forward and one for reverse traffic.
The idea is to be able to access other services via the Connect
method on the server, for instances ssh, in order to carry out
maintenance work on the server as necessary while serving, on a
backend server on the loopback. I use proxytunnel on a client machine
to send Connect method and establish a tunnel through Squid to the
local interface.
When I configure Squid in pure forward proxy, Squid connects to port
22 works seemlessly.
However, when I configure Squid to combine reverse and forward, my
client gets the following answer upon connection with Squid: HTTP
return code: 400 Bad Request
CONNECT is illegal method in reverse-proxy traffic. The URL provided is
incomplete and cannot be used by a reverse-proxy to reconstruct an HTTP
request. This is particularly bad when the protocol inside CONNECT is
not HTTP anyway.
I've done this in the past with an Apache server (ProxyRequest On
together with a ProxyPass command) so I'm pretty sure Squid should
let
me do it. But I could not find any configuration exemple, whether on
Squid's site or on the internet.
mod_proxy operates like a Squid URL re-writer. All the same behaviour
and problems.
<snip>
- Squid:
---------------------------------------------------------
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.1/32
Change:
acl to_localhost dst 127.0.0.1/32 0.0.0.0/0
acl to_all dst all
acl SSL_ports port 80 22
acl Safe_ports port 80 # http
acl Safe_ports port 22 # ssh
acl CONNECT method CONNECT
---------------------------------------------------------
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow to_localhost Safe_ports
to_localhost is customized to prevent malicious DNS entries allowing
attacks to bypass security.
The intended use is:
http_access deny to_localhost
Since you seem not to want that. Remove it completely.
http_access allow localhost
Change that:
http-access allow localhost CONNECT
################################
NOTE: highlighted comment #1 in the documentation is...
* This configuration MUST appear at the top of squid.conf above any
other forward-proxy configuration ...
Do that.
acl our_sites dstdomain www.mysite.com
http_access allow our_sites
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
cache_peer_access myAccel allow our_sites
################################
http_access deny all !to_localhost
Change:
http_access deny all
---------------------------------------------------------
icp_access allow localnet
icp_access deny all
---------------------------------------------------------
http_port X.X.X.X:80 accel defaultsite=www.mysite.com
Amos
