Re: Security Concerns

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Mon, 26 Jan 2004 16:49:22 +0100 (CET)

On Mon, 26 Jan 2004, Andres Kroonmaa wrote:

> > Henrik Nordstrom <hno@squid-cache.org> writes:
> >
> > > This question got me thinking, and maybe we should restrict Squid to plain
> > > refuse to start if access rules say "http_access allow all".
>
> Wouldn't this kick in in accelerator configs?

If you are using Squid-2.5 in accel-only mode with both
httpd_accel_uses_host_header and httpd_accel_with_proxy off then yes, this
kicks in when it should not, but can easily be extended to know about
this specific case.

If you are using Squid-2.5 with any of the above two directives on then
you need access controls or you will have an open proxy, which I suspect
many does not know or fully understand.

The Squid-3 case is a little more complex to define. There is a few types
of accel mode setups where access controls is not stricly needed in
Squid-3, but there is also many subtle changes in configuration which
causes access controls to be needed.

In all three accelerator cases I strongly advice to have access controls
set up limiting what may be reached via the accelerator. If you have then
the patch will most likely not trigger as it only triggers if you are
using an "allow all" type access rule, not if you are using "allow
these_destinations" or "allow these_clients".

But the patch is overly simplistic will give false indications of open
proxy configuration in case of "deny what is not allowed, allow the rest"
type of configurations. It should be seen mainly as an idea and not a
verified patch. If added there should at a minimum be a new configuration
directive where the test can be disabled. There is also very many cases of
open proxy setups the patch will not trigger upon.

The idea of this test is mainly to make administrators aware that having
an open proxy is not good if they attempt to set up one without knowing
why it is not good, and also to trap stupid mistakes leading to open proxy
type configurations.

The idea is not to second-guess the administrator. If he really wants I
agree he should be allowed to do whatever he pleases, but I think it is ok
if he may need to put a little more effort to make configurations which
seems obviously incorrect, insecure or plain bad.

Regards
Henrik
Received on Mon Jan 26 2004 - 08:49:25 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 31 2004 - 12:00:10 MST