On 5/09/2013 5:15 p.m., PSA4444 wrote:
Hi Amos,
We did not get a solution to this yet.
The work around has been to disable http (port 80) and only run https (port
443) with a firewall in front of the proxy server. This blocked out 100% of
these requests for now but I will need to re-enable it later.
How can I disable this open-proxy relaying?
Config:
###
visible_hostname domain.com
https_port 443 accel cert=/usr/newrprgate/CertAuth/cert.cert
key=/usr/newrprgate/CertAuth/key.pem vhost defaultsite=www.domain.com
sslproxy_flags DONT_VERIFY_PEER
NOTE:
This flag is supported so that forward-proxyand interception proxy
administrators can avoid having to register unlimited numbers of
volatile self-signed CA for all the Internet websites their users encounter.
There should be no reason for it to be used in accelerator proxies -
even with the backend server certificate(s) self-signed. The proxy just
needs to be configured with the CA certificate(s) necessary to validate
the upstream server. Since this is an accelerator the proxy the backends
should be a well-defined set with the CA they require easily managed and
configured.
The same thing goes for the sslflags=DONT_VERIFY_PEER on cache_peer
lines. I have yet to see any reason beyond laziness for that cache_peer
flag to be used since this is always a specific peer server with easily
knowable CA. Doing SSL validation to the peers will help detect and
prevent unexpected internal machines from being able to hijack the
traffic, with auto-configuration on the network that is an important
protection.
forwarded_for on
#Cache Peer 1
cache_peer one.domain.com parent 443 0 no-query originserver ssl
sslversion=3 connect-timeout=8 connect-fail-limit=2
sslflags=DONT_VERIFY_PEER front-end-https=on name=one login=PASSTHRU
acl sites_one dstdomain one.domain.com
cache_peer_access one allow sites_one
acl http proto http
acl https proto https
#Cache Peer 2
cache_peer two.domain.com parent 443 0 no-query originserver ssl
sslversion=3 connect-timeout=8 connect-fail-limit=2
sslflags=DONT_VERIFY_PEER front-end-https=on name=two login=PASSTHRU
acl sites_two dstdomain two.domain.com
cache_peer_access two allow sites_two
acl http proto http
acl https proto https
Since you already hasve sites one and sites_two configured for the
cache_peer_access directives. They should be re-used in http_access
allow lines to permit only the accelerated sites to be requested through
the proxy.
Like so:
http_access allow sites_one
http_access allow sites_two
http_access deny all
This resolves the open-proxy part and also enables Squid to handle a
higher traffic load when DoS'ed with garbage-domain requests.
http_access allow all
header_replace Vary Accept-Encoding
request_header_access All allow all
You do not seem to have any header 'deny' rule for header_replace to
work from - so it will do nothing.
"request_header_access All allow all" is the default. You can avoid CPU
cycles processing requests through the header mangling component by
removing these completely from the config.
Amos
