Re: [squid-users] Massive problems with https connections to Domino Server (long)

From: vda <vda@dont-contact.us>
Date: Wed, 11 Feb 2004 08:50:41 +0200

> > BTW. Is your squid transparent?
>
> No.
>
> > BTW#2. Why do you proxy https traffic at all?
> > What are you trying to achieve?
>
> Security. From what I learned is to deny direct tcp connections to the
> internet. I can go direct in this case but that is an exception.
> Besides it's easy to implement squid's acl.

Give me an example of some security measure which you
can accomplish with squid but not with masquerading
using iptables.

If you can't, maybe you need to think first what exactly you are
trying to accomplish. I hope you arent thinking "I do not exactly
know why, but folks said it is more secure"? ;)

If you do need some filtering via squid, at least make it
transparent and unavoidable for your users. Now you have to
set up each user's IE to use squid, right? Nothing prevents
them from reenabling direct access to Inet.

> > IE DoSes your server. In this case inadvertently but still,
> > you have to take measures.
> > You probably should configure squid/Domino to limit number
> > of TCP connections from one IP, total number of open
> > connections and/or limit max connection lifetime.
>
> I know you are very kind and are trying to help me, thx very much for
> this. But this cannot be a solution. There is something fundamentally
> wrong. I can take down one server with just one client -easily-.

Exactly. Right now, you triggered a DoS with IE bug (or maybe it's
a squid bug? we are not 100% sure). But any user can do the same with
very simple tools like netcat and/or stunnel. You have to make it
impossible if you want a rock stable system.

And I gave you a few ideas how to do that. Why "this cannot
be a solution"?

--
vda
Received on Tue Feb 10 2004 - 23:51:11 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST