Search squid archive

Re: Squid: End-of-life for each release.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey Jakub,

About the advisory stuff you were talking about:
A proxy server will always be on the fragile edge between a vulnerability to work without any flows. It's like a car that is "touching" the ground using the "wheels" and this is how it is, kind of basic not too smart physics.

If you have a system which is "well-behaved" or client that understand their doings.. it will be simpler to avoid any critical issues with the proxy regardless any advisory.

It's the same thing for the applications in both sides of the proxy.
This is what I also pointed at bug #7.
Summary of the above:
Changing response headers on a server big enough is probably a very bad choice as a daily task. A change in this magnitude of the server operation *mode* should be planned to make sure what the change will be and what effect it would have on any of the related systems. Once you can try to assume the effect on the main parts of the path (while not being exact science) the next step can be tested. Squid by default do not support objects to be "changed" since a cache suppose to replace a response when needed. For now cache avg object is 32KB which can be revalidated more frequently in various point on the path of the request. If we do intend to build a cache with support for more then one year(365 days) maximum storage time I assume that squid will need more redesign then people can even think. For now the system design should consider the issues while trying to find a way that will allow a real world scenario of "switching headers structure" inside the file.

I can think about a way if utilizing Rock cache_dir structure to "store" objects in a way that can separate the actual content of the response from all the other parts of the request information. For example: "GET /file.tar HTTP/1.1\nHost: large.db.cern.gov\n\n" is never stored in this form since it is being stored in a more compact way that do allow revalidation. So we have the first TLV part of the UFS store file\object which is then dumped (in UFS) into one file in a binary form with strict structure. If for example the Rock cache_dir uses(don't assume yet it is right to do) a set of data sets which are connected with a reference from each part to the next one ie: request Store-ID + timestamps + couple others + the response object itself.. Then simple writing of the "top" structure in another part of the DB and then referencing a new set of response structure(the TLVs at the requests) or identification to another data set which contains the object it will be simple enough without the overhead of playing with any of the more complex parts of code inside squid. Adding this can add a very bad thing that can just burn a lot of hardware before their full utilization which I do not like.

A change in headers like this should be done Once and only Once per a very long time by design and should not by default (for now) be supported by squid due to the complexity of the issue.

It still doesn't apply that it cannot be done by squid project but leaving it the option to consider avoiding any future vulnerabilities.

If I would look at the idea in a basic\flat FS level objects I would try to do something like that: One file at some very deep directory that contains the response *only* while naming the file with the basic URL. Another file that will contain all the data from the cache proxy point of view and which contains the critical information on the request\response while allowing simple overwriting it. Inside the second file(cache data) I will refer to a specific file outside of this file which can be a file with "link" structure or just to be a simple symlink to the object response.

It is not the smartest idea ever from the FS point of view but it will add an option to utilize the kernel FS cache in another level then it is now. It will consume lots(did I say lots) of Inodes and other resources at runtime.

The main issue is that a not to deep research should be done on whether the cost of "removing" a full object and recreating it will cost more(money,I\O,DISKS,others which I do not think about, etc..) then caching it and changing only the basic one or two files of the object.
An example for a request storage:
file1: /some/far/dir/at/the/end/of/the/world/ID_of_cached_resouce.res
file2: /some/other/dir/with/lots/of/files/URL.meta
file3: /some/other/dir/with/lots/of/files/URL_sym_link_to_ID_of_cached_resouce.lnk

Note that the above is a very dirty sketch which has no accuracy of structure and just demonstrate couple ideas.

While for now it might seems weird but as a cache proxy of a Linux distributions with lots of 4GB ISO files(4 per each distro or even more) and line speed of 100Mbps as upstream it might be worth to waste couple more then even KB+CPU_CYCLES+other(lost it)+INODES to just allow these files to be cached on a larger machine\system with 10Gbps X 4 ++ upstream and lots of RAM or even SSD.

So separating the object\resource from the metadata that squid uses can help reduce the number of "writes" to disk which effects deeply on the disk and the whole system life cycle.

All the Bests,
Eliezer

On 06/12/13 00:17, Amos Jeffries wrote:

 I support a
distribution of squid2.7 for a few hundred universities & research labs
https://twiki.cern.ch/twiki/bin/view/Frontier/InstallSquid
I have been assuming that if a security problem were ever found with
2.7, there would still be a security advisory, and it would be announced
on this mailing list so I could distribute a patch.  Do you think that
is a reasonable assumption?  I also assume the security advisory would
say the only official thing to do is to upgrade to squid3, which is fine
as long as I could still patch 2.7.

Well I hesitate to say anything on this as it is hard to know. Squid-2.7
is benefiting from both its long history of stable use (low level of
vulnerabilities existing) and from being outdated (nasties have less
incentive to seek vulnerabilities).

I'm not even testing recent vulnerabilities against 2.x myself any more
beyond a quick manual check to see if the 2.x and 3.x code is similar in
the particular area (SQUID-2012:1, SQUID-2011:3).

Most of the recent vulnerabilities have been in code which was changed
between the versions and somebody got something wrong (SQUID-2013:1,
SQUID-2013:3) or uncovered a code path protecting against some hidden
issue elsewhere (SQUID-2013:2). A few are long standing design
vulnerabilities which we finally re-designed squid-3.x in a way that
allowed fixing it - so squid-2 will definitely never be fixed
(SQUID-2011:1, SQUID-2011:2).

Amos





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux