Re: [squid-users] squid and ISP.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 11 Jun 2013 16:59:13 +1200

On 11/06/2013 12:21 p.m., Beto Moreno wrote:
> Just wondering, I had read that some ISP use squid for caching their
> clients contents, 1k+ users, by default squid have a list of know
> ports open:
>
> 80,443, etc.
>
> For a large deployments u know that u have a bunch of users that hit a
> lot pages per second, and some sites for example they required ports
> like 8080, 4578 in the url, is difficult for a sysadm to wait for a
> customer to request to open the port 4578 because some site he use
> require that port.
>
> Here how do u handle this?
>
> U open in squid ports 80-65535 or how do u manage this? u wait for the
> customer complain?

No. Some of the non-80 ports below 1024 are *extremely* dangerous to
allow through HTTP proxy. HTTP syntax accepted by the proxy and relayed
on can be confused by the receiving ports service as their own protocol
and cause great damage or security problems with internal systems. For
example the MS Windows RPC ports or email SMTP / Submission ports -
allowing unlimited access to these through your proxy is downright
stupid even if the users ask for it.

The default list of Safe_ports ACL includes the "port 1024-65535" range
for generic web hosting ports such as your examples. So those sites work
through any Squid proxy in the world using the published defaults, and
many of the non-Squid proxies have equivalent rules as well. The list of
the below-1024 ports is carefully selected and restricted to those ports
where HTTP can be sent safely on any network. Extending service outside
those port ranges in the default config you must take great care in
understanding what the individual port is used for, its normal protocol
syntax and how HTTP can interact with it - this is somewhat variable
between networks but for the ISP situation tends to be dangerous.

The SSL_ports acl definition controlling where SSL/TLS is expected for
CONNECT tunnels being sent to non-443 ports is more commonly adapted.
Some admin permit specific other services such as rsync, secure news
service and chat applications to explicitly tunnel through the web proxy
- that is network policy dependent. CONNECT tunnels are both extremely
useful and extremely dangerous - since there is no control whatsoever of
what content they contain. For the ISP situation you will typically not
see services using a HTTP-only proxy like Squid for relaying non-HTTP
services so this is not a big issue.

Amos
Received on Tue Jun 11 2013 - 07:27:38 MDT

This archive was generated by hypermail 2.2.0 : Wed Jun 12 2013 - 12:00:17 MDT