[squid-users] How to avoid Squid disclosing the origin server IP when there is an error

Sun Sep 27 11:20:26 UTC 2015

Hey Xen,

I am not really a proxy expert and I am not really such a great security 
guy but both you and Amos are right.
There are cases which revealing an internal IP address is a bad 
practice. Also there are other ways to identify the internal host which 
causes issues.
In the specific case of 127.0.0.1 it really doesn't help a thing in most 
cases.
Leaving aside horror stories from reality you might know much(as you 
declared) about proxies and I must invite you to the squid world of proxies.
It's a great place to learn about http and many other things in general.
The squid-uses is not a busy list but it is a great one.
Take your time and ask or discuss, this is the place for that.

There are sensitive systems that actually hides themselves behind a 
proxy since one of the names of a http proxy is "application layer 
firewall".
It is a common usage of squid and other proxies.
Do yourself a favor and leave books and movies on the desk for a second. 
please do that.
I am not sure if you ever seen a room of jumpy IT managers that jumps 
because of some new bug but I have seen it couple times and it's amazing 
from what they jump.
If you take some vulnerabilities and actually try to understand what and 
how they do what they do, you understand why some of them are not a real 
threat.
Just back to the specific 127.0.0.1.. it's really nothing. it's like 
saying "I am a human I have a head".
If you feel like it's something you don't want to give up on feel free 
to change the ERROR page, it is a common practice to replace them or use 
custom ones.
If it what makes you sleep at night then be it.
Leaving the 127.0.0.1 case aside banks do tend to not disclose internal 
IP addresses and it's a common sense if you have the right tools to give 
the user a nice and well formatted message that was audited by a 
security team.
Is it security? definitely maybe!

Just a sentence about the Internet, It's a nice and lovely place with 
lots of roses, wild animals and humans but squid is there to help all 
these who actually needs a http application level firewall system.
So please leave jumpy IT managers and horror stories aside so you would 
just have enough memory and space for the reality.
And I have a scene just for you to have some laugh time:
https://www.youtube.com/watch?v=FW2Q0W2V4q0

The above video is a demonstration of what fiction does when a jumpy IT 
manager meets a security sales man.

All The Bests,
Eliezer

On 27/09/2015 12:46, Xen wrote:
> Again, impressed by your knowledge. But I'm not really arguing against
> your knowledge. It is basically a principle choice to /call/ one thing
> security and the other privacy based on the impression or experience
> that the one thing provides actual defenses or benefits in certain
> common scenario's and the other doesn't. Perhaps that is pertinent to
> software security, but in that case it is a very specific field and you
> are going to define "security" in a very constrained way.
>
> Basically, it is then more of a normative statement "what do me and my
> buddies consider good enough" rather than a statement of definition.
>
> You are basically arguing that in (all) real world scenarios (of
> software/web/server security) the obscurity thing tends to converge on
> irrelevance. But even that is true, it is still not a defining
> characteristic, so to speak.
<SNIP>