Re: [squid-users] Rewriting URL

From: Matus UHLAR - fantomas <uhlar_at_fantomas.sk>
Date: Fri, 17 Feb 2012 10:57:25 +0100

>On 17/02/2012 6:10 p.m., Roman Gelfand wrote:
>>Consider the following configuration...
>>
>>acl host1 dst host1.dom.com

On 17.02.12 19:26, Amos Jeffries wrote:
>"dst" is not a good idea. Any phisher attacker who wants to make
>their website resolve to your servers internal IP can do so and
>connect through this proxy to it.

but the phishing site must still run on the destination site, am I
right?

>"dstdomain" is the recomended ACL type. That way the domain is
>accepted or denied. The client can only reach Squid by resolving the
>domain IP as this Squid box, so no security worries there. It also
>lets you scale out the backend with any number of servers or peers,
>and swap them about without involving DNS alterations (think TTL lag
>on every change).

By using dstdomain you can allow (reverse) proxying to one website (or
more within the same domain). By using dst you can (reverze) proxy
more sites on the same host/network.

I think that using "dst" here is not the issue if we are talking about
reverse proxy.

Is there any situation I have missed?

-- 
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
Received on Fri Feb 17 2012 - 09:57:28 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 17 2012 - 12:00:03 MST