On 17/02/2012 6:10 p.m., Roman Gelfand wrote:
Consider the following configuration...
acl host1 dst host1.dom.com
On 17.02.12 19:26, Amos Jeffries wrote:
"dst" is not a good idea. Any phisher attacker who wants to make
their website resolve to your servers internal IP can do so and
connect through this proxy to it.
but the phishing site must still run on the destination site, am I
right?
"dstdomain" is the recomended ACL type. That way the domain is
accepted or denied. The client can only reach Squid by resolving the
domain IP as this Squid box, so no security worries there. It also
lets you scale out the backend with any number of servers or peers,
and swap them about without involving DNS alterations (think TTL lag
on every change).
By using dstdomain you can allow (reverse) proxying to one website (or
more within the same domain). By using dst you can (reverze) proxy
more sites on the same host/network.
I think that using "dst" here is not the issue if we are talking about
reverse proxy.
Is there any situation I have missed?
--
Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
