Re: [squid-users] Squid as a web application firewall

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 22 Jun 2008 15:29:42 +1200

howard chen wrote:
> Hi all,
>
> I am not sure if anyone think about this before.
>
> Consider a traditional setup for today web applications:
>
>
> User <==> Squid(s) <==> Apache(s) <==> MySQL / Memcached / NFS
>
>
> Currently I have mod_security installed on every Apache to prevent
> attacks such as SQL Injection, XSS ect.
>
> Sure, as a web application firewall, you would need more features then
> mod_security currently provided, e.g.
>
> 1. rate-limiting, e.g. limit your user from accessing register.cgi for
> not more than 1 time per minutes (against spam or application level
> DOS)
> 2. Block user by IP, subnet
> 3. Block by request header, e.g. UA, cookie
>
> Of course I am not going to ask to merge all this features into squid,
> but I want to ask if it is feasible to develop all these feature as a
> external program, and squid will pass the needed info to a program
> similar to a redirector (or maybe just using redirector concept).
>
> I am just not sure if it is suitable to perform all these actions at
> squid layer.

Most of them are suitable and already available. We call the Access
Controls:
  http://www.squid-cache.org/Versions/v2/2.7/cfgman/acl.html
  http://www.squid-cache.org/Versions/v3/3.0/cfgman/acl.html

and they can be applied to permit or limit most of Squid operations,
Protocols, and components.

Amos

-- 
Please use Squid 2.7.STABLE2 or 3.0.STABLE6
Received on Sun Jun 22 2008 - 03:29:48 MDT

This archive was generated by hypermail 2.2.0 : Sun Jun 22 2008 - 12:00:04 MDT