[squid-users] How to avoid Squid disclosing the origin server IP when there is an error

Amos Jeffries squid3 at treenet.co.nz
Sat Sep 26 22:49:06 UTC 2015


On 26/09/2015 11:48 p.m., Manuel wrote:
> When Squid -even as a reverse proxy (which is my concern)- can not retrieve
> the requested URL, it dicloses the IP address of the server trying to
> contact with. Is there any way to hide that IP address to the public for
> security reasons?

This is not a security problem.

1) security by obscurity does not work.

2) "127.0.0.1" does not leak any information other than a CDN proxy is
being used. The existence of the error page itself and several other
mandatory details in the HTTP protocol provides the exact same information.

3) If 127.0.0.1 interface on your server is accessible from a remote
machine; then you have much, much worse security problems that need fixing.


This is a privacy related thing.

I say thing specifically because "problem" and "issue" would imply
actually being a problem. There is zero privacy loss from server IPs
being known. It is required to inform the client to prevent it repeating
this query via other routes which intersect or terminate at the same
broken server IP.



> 
> Example of the error message I am referring to:
> "The requested URL could not be retrieved
> 
> While trying to retrieve the URL: http://www.domainame.com/
> 
> The following error was encountered:
> 
> * Connection to 127.0.0.1 Failed
> 
> The system returned:
> 
> (110) Connection timed out
> 
> The remote host or network may be down. Please try the request again.
> 
> Your cache administrator is @

Thats a funky email address to have for administrative / webmaster contact.

Amos


More information about the squid-users mailing list