Re: [squid-users] URL rewrite on Squid 3.1.6 as ReverseProxy for Exchange OWA

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 24 Feb 2012 23:24:05 +1300

On 24/02/2012 11:52 a.m., Roman Gelfand wrote:
> Hi Amos,
>
> I could be wrong, but I understood from your several posts that this
> type of configuration is not recommended (either due to security
> issues or performance, I don't remember exactly).
>
> Is that right?

*redirect*, (using deny_info or redirector program which does real 3XX
status redirects) is fine and a built-in feature of HTTP. Since what it
does is inform the client browser/agent to change the URI being
requested. Keeping any state between the server and client synchronized.
Security, behaviour expectations and working state is all kept predictable.

*rewrite*, (using a redirector/rewriter to alter the URL in-transit) is
not recommended on grounds of being complex with many breakages from the
client browser/agent being unaware of the URL change. re-write is at
heart a cross-site/XSS attack, in the same ways that intercept proxy is
a MITM attack. Intending for it to happen does not change the side
effects or lessen the risks.

Amos
Received on Fri Feb 24 2012 - 10:24:17 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 24 2012 - 12:00:05 MST