[squid-users] Squid as reverse proxy and image theft protection

thane at SDF.ORG thane at SDF.ORG
Thu Jan 22 09:25:53 UTC 2015


Dear Jeffries,

I thank you for your answer. Is possible in your opinion manage also
Cookie with an expiration time? Because if I understood correctly your
suggestion works great until the users share with some attacker the
cookie. The attacker could reuse this cookie to download freely the images
from the site. Right?

Thanks and best regards,
Guido.

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 22/01/2015 6:11 a.m., thane at SDF.ORG wrote:
>> Dear all,
>>
>> we configured Squid 3.4.9 as Reverse Proxy/Accellerator versus
>> some virtual machines located geographically in different country
>> integrating it with a Geo DNS solution to routing the various user
>> requests to the Squid Reverse Proxy nearest to them. These virtual
>> machines hosts a J2EE Web Portal.
>>
>> This Reverse Proxy provides to the users a huge amount of images
>> and reduce a lot the download time for that countries away from the
>> primary data center (see China, India, etc.). These images are at
>> the moment freely accessible without authentication.
>>
>> The portal behind squid uses a custom authentication form where the
>> user insert his "Username" and "Password" in an HTTP Form and these
>> credentials are routed to a J2EE Servlet (through an HTTP Post)
>> that perform various authentication checks and release a cookie to
>> grant the session to the other dynamic contents.
>>
>> We would like to understand if there are possible solutions to
>> protect the images on the Squid Reverse Proxy and makes them only
>> available after the user is authenticated.
>
> An external_acl_type helper that checks the Cookie header contents
> against the backend auth system and informs Squid about OK/ERR will do
> that for you.
>
>
>>
>> Another possible workaround is perform some random scramble of the
>> image URL but continuing to permitting the caching of the sames.
>
> That is not possible while caching.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUwHFHAAoJELJo5wb/XPRjV48IALCdLQ2Yb1tQabzLpyEi+rmE
> WlBGqaKMsKGZBEtPhvys6yvS1Nr7Isc5qaF/g/KuJhWT5NKy5OOYAP3nvrLDu8NB
> BT9YcRcHAHLRtfFoSAxYxlYYOwdY7TQsyx70XtQhcnqFtZqQWpLraTUXvpKdoVul
> J0q0C+ZpqsurTlZTJG9s1sz/75bESTbpY5lmq0uqIA77FiMe9pwrUcYgdWx/9yMr
> VdH6O+iO18PCPAPw9cVRrQHZNQ3i9fw/KfJ0Wj9CUOPu367Jd4JLdYEeKPYsGuHc
> Syz/1PV9S+QPSiYkvpdHvMg00HzO7sWSRq0WBdJlBWTXw61vSgJMsvhOgnjJlp8=
> =KQEL
> -----END PGP SIGNATURE-----
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>




More information about the squid-users mailing list