Re: [squid-users] Open Relay

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 24 Apr 2003 08:51:18 +0200

On Thursday 24 April 2003 07.47, Tony Melia (DMS) wrote:
> Sorry, after coming back from holidays I just emptied my squid
> mails folder. Is there any mor e info on this, as I would like to
> make sure I am secure.

The rules are plain and simple:

1. Do not allow outsiders access to use your proxy.

2. Do not allow your users to abuse the proxy to connect to well known
non-HTTP services such as SMTP.

If you follow the suggested default configuration shipped with Squid
then you are protected from both.

If you delete the suggested default rules and write your own
http_access ruleset then you need to carefully consider the above
rules and how they apply to your ruleset.

If you modify the Safe_Ports or SSL_Ports acls in the default
configuration then you should carefully consider why you are
modifying these acls.

If you are adding other http_access directives than instructed in the
default configuration then you should carefully consider the effect
of your directives to make sure you do not accidently give more
access privileges than intended, but if you keep the default rules
then you should at least be protected from open relay issues and
limited to open proxy issues..

Note: if you are running an accelerator then rule #1 becomes reversed:

1. Do not allow access via the proxy to other servers than your own

Rule #2 is the same.

In both cases access controls is done by http_access.

In case of a proxy, firewalling the proxy port from outside access is
also recommended as an extra protection.

Regards
Henrik

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org
If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com
Received on Thu Apr 24 2003 - 00:51:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:23 MST