Re: [squid-users] maxconn

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 18 Dec 2010 18:38:35 +1300

On 18/12/10 04:35, Jason Greene wrote:
> On Thu, Dec 16, 2010 at 7:41 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>> On 17/12/10 10:38, Jason Greene wrote:
>>>
>>> I m trying to close a security hole
>>>
>>>
>>> I want to use maxconn on ALL IPs
>>>
>>> acl limitusercon maxconn 3
>>> http_access deny all limitusercon
>>
>> Testing the "all" there is not useful. That should be just:
>>
>> http_access deny limitusercon
>>
>> ... making sure its placed at the top of your access controls so nothing
>> doing an allow can bypass it. Right after the "deny CONNECT !SSL_Ports"
>> should do.
>
> Thanks, I'll try this out.
>
>>
>>>
>>> But it doesn't seem to work and the hole still appears on a scan.
>>
>> What hole?
>
>
> HTTP Proxy CONNECT Loop DoS
>

If that is what I think it is you are missing the default "deny CONNECT
!SSL_Ports" or have opened SSL_Ports too wide.
Due to:
  - the proxy listening ports are not SSL/CONNECT safe ports.
  - port 443 listening is reverse-proxy territory + reverse proxy must
not accept CONNECT requests (older squid releases allowed it wrongly).

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.3
Received on Sat Dec 18 2010 - 05:38:40 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 20 2010 - 12:00:03 MST