[squid-users] Squid as reverse proxy for two or more webs
Amos Jeffries
squid3 at treenet.co.nz
Sun Aug 12 18:20:12 UTC 2018
On 12/08/18 01:35, Antony Stone wrote:
> On Saturday 11 August 2018 at 15:26:40, Amos Jeffries wrote:
>
>> On 11/08/18 09:43, Antony Stone wrote:
>>> On Friday 10 August 2018 at 20:13:06, erdosain9 wrote:
>>>> Thanks to all!!
>>>> Now is working fine.
>>>>
>>>> Just, one question to know... i make this accessible from the
>>>> internet... so, i create some acl 0.0.0.0/0 and it's working.
>>
>> That is almost but deceptively not quite the same as "allow all".
>
> Nice description :)
>
>>>> But.. this is a security issue??? or it's ok declare that ACL.
>>>
>>> If you want everyone / anyone on the Intenet to be able to get to your
>>> servers, that is the obvious (and correct) ACL to use.
>>
>> No, sorry. It is not.
>>
>> The correct config is to use:
>>
>> http_access allow foo
>>
>> Where "foo" is the same ACLs you use on cache_peer_access to determine
>> which traffic goes to the peers.
>>
>> That way Squid is able to block random other domains that virus scans
>> etc try to use to detect open proxies.
>
> Hm, I had thought that since this Squid was only configured to be a reverse
> proxy for the two servers under discussion, allowing access from anywhere
> would still only offer those two destinations?
>
> It wouldn't offer forward-proxy services with that configuration, surely?
That is an implicit default, yes. But can be altered by several common
setups. We don't know what erdosain9's full config is (or will become),
so do not know if one of those cases is happening (or will happen later).
It is generally better to go with this explicit allow/deny than relying
on the implicit behaviour. One can always move to the implicit later if
its needed for performance - but backtracking may surprise users if they
were relying on the broken bits being broken.
Amos
More information about the squid-users
mailing list