Bryan Ragon wrote:
> You obviously know more about http proxies & methods that I: Is allowing
> the CONNECT method to only a specific host at a specific IP a security
> hole, or does it take a more "open" set of acl's to create a security
> breach? How could this be abused? I'm sure there's a way, I just want to
> make sure I cover all my bases.
Not if done correctly.
Problem is that many don't and simply remove the restrictions on CONNECT, and
then become surprised to find that there is other applications abusing
CONNECT to connect to various strange services on the Internet.
A very common abuse of CONNECT is to use a open HTTP proxy to send SMTP spam
with a false originator address.
Anyone changing the default access controls of CONNECT should understand that
CONNECT is very different from the other methods. CONNECT is not a proxy
method, it is a method for opening a full duplex TCP tunnel via a HTTP proxy,
intended for allowing https traffic to be sent the same path as http.
-- Basic free Squid support provided thanks to MARA Systems AB Your source of advanced reverse proxy solutions or customized Squid solutions. http://www.marasystems.com/products/Received on Thu May 23 2002 - 10:22:15 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:12 MST