[squid-users] squid "internal?" loop - with no firewall nat going on..?
squid3 at treenet.co.nz
Thu Mar 12 13:27:35 UTC 2015
On 13/03/2015 1:52 a.m., Klavs Klavsen wrote:
> I'd rather not have to route everything (incl. normal ingoing web
> traffic) through the squid box.. and the firewalls are proprietary stuff
> - so can't install squid there :)
You don't, port 80 TCP is all that *needs* it, and only for the traffic
from clients you want to go through Squid.
If you are passing outgoing web traffic through Squid the responses
(incoming) have to come back through it.
If you have external stuff making requests to internal servers, that can
be left alone in the same way Squid' outgoing traffic is.
Are we talking more or less than 100Mbps of port 80 traffic here?
> It works fine in accel mode.. and I can limit what urls each client ip
> is able to access, and disable caching..
> Shouldn't accel mode, for this use case (curl access from websites - all
> using http/1.1 with host header) be good enough - or are there security
> issues I am not aware of?
You guessed it. CVE-2009-0801 - the Host header is not trustworthy.
accel/reverse-proxy mode has no protection at all since the upstream
servers are expected to be explicitly configured or the allowed domains
restricted to those hosted by the CDN the proxy is part of.
... and the Host header is not always present, though that case has
declined a lot in the past few years.
> I realize I move the DNS lookup to the squid box - but that's actually
> what I want in this case.
Actually you will need two DN lookups to be happening if you use accel.
Only the intercept mode with NAT lookups has ability to avoid the second
one by using ORIGINAL_DST.
accel mode normaly avoids the second DNS lookup by having the upstream
servers explicitly configured. You dont want to do that manually for
every Internet server in existence so forcing a DNS lookup with
"always_direct allow all" is required.
Routings your friend, really :-)
More information about the squid-users