On Mon, 15 Nov 2004, Greg Swallow wrote:
> Alhtough I'm not sure why, people appear to have started using our HTTP
> accelerators last month to start surfing other sites. Perhaps they wish
> to remain anonymous?
Or they wan to bypass restrictions placed by their ISP or country, or they
want to conceal themself in various illegal activities making it look like
it is you who conduct these activities instead.
> My access controls are pretty much the default, because this was
> supposed to be wide open.
The defaults is totally closed, rejecting all requests, not wide open.
Accelerators should not be wide open. They should only accept requests to
a limited set of web sites (the sites you accelerate).
> If I'm running my squid boxes in HTTP accel
> mode, shouldn't it be pretty much impossible to surf other sites through
> them?
Depends on your configuration.
If you use either httpd_accel_uses_host_header or httpd_accel_with_proxy
then it is possible to ask Squid to fetch any URL.
In all cases requests is subject to your access controls.
> Or should I have to set up ACL's?
This should always be done, even when the above directives is not used. If
not it is way to easy to end up with a open proxy configuration later on
when demands on the functionality increases (i.e. the need to accelerate
more than one host, or to comply with HTTP specifications)
Regards
Henrik
Received on Mon Nov 15 2004 - 10:06:58 MST
This archive was generated by hypermail pre-2.1.9 : Wed Dec 01 2004 - 12:00:01 MST