Hi All,
We're happily running Squid 2.5S1 under FreeBSD - and running it as an HTTP accelerator.
I've been trying to setup the access lists very carefully to stop people from supplying faked 'GET / HOST' lines, and effectively using the accelerator as a proxy to fetch a page of their choice from any http server on the net, rather than just pages from the accelerated host.
I can't seem to figure this out though - the moment I put the equivalent of 'allow any' into the http_access list [to allow any client to connect to the proxy] - it seems Squid will quite happily go and connect outbound to anywhere on the net as well... I found a couple of Howto's on the net - and I have read through most the documentation I can find, but all seem to end in the same result - a faked 'GET / HOST: somewhere.com' works, or no one can access the accelerator.
I'm guessing this is user error - but is it possible to tell squid "Serve requests for anyone" as well as "Squid, you may only contact the following host to get data from"? - Everything seems to revolve around the http_access list, and I can't get the 'mutually exclusive' feeling out of my head.
If there is the above, is there even more optimistically a "Oh, and by the way - make sure the request your processing only has the following hosts in the Host: line?" - or would that have to be handled purely by the redirector?
Regards,
-Karl Pielorz
- Re: [squid-users] Access restrictions for accelerator mod... Karl Pielorz
- Re: [squid-users] Access restrictions for accelerato... Robert Collins
- Re: [squid-users] Access restrictions for accele... Karl Pielorz
- Re: [squid-users] Access restrictions for ac... Henrik Nordstrom
- Re: [squid-users] Access restrictions for accele... Henrik Nordstrom
