Re: Squid accelerator for many web servers

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 07 Jun 1997 03:32:32 +0200

When setting accel_uses_host_header on, you effectively (in security
measurements) turn Squid into a proxy, which anyone can use as a
jumpgate to any adress/port. This is very bad if squid is running on a
firewall (or firewallish situation).

To make ir secure, you have to add ACL checks to only allow connections
to the accelerated servers (and ports).

---
Henrik Nordström
Canessa Enrique wrote:
> In the Squid Conf file is written:
> 
> "However, Squid does NOT check the value of the Host header, so it opens
> a big security hole".
> 
> Can you give me examples of "Host headers" that might break the system.
> (If the Squid machine also also runs one of the Web servers
> then for a header pointing to that machine, the call should be OK).
Received on Fri Jun 06 1997 - 18:57:05 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:29 MST