[Nottingham] apache or squid for proxying?
Mike Cardwell
nlug at lists.grepular.com
Wed Oct 14 14:57:10 UTC 2009
Martin wrote:
> Anyone got an opinion on whether to use apache or squid as a
> (transparent) network proxy for http/https/ftp ?
>
> Advantages/disadvantages?
>
> And will that cache the damnably huge updates that a certain OS is often
> wont to download?
Can you actually use Apache to do that? I don't think mod_proxy would be
suitable... Is there some other module which would allow it?
I would use squid over Apache for that purpose purely because squid is
designed to do exactly the job you're searching for.
Transparent web proxies have an inherant security flaw though. I could
create a hidden java applet on a page which connects back to the server
it came from on port 80. Java apps are allowed to connect back to the IP
they came from without limitations, by design. I think you can do the
same with Flash.
I could connect back to my own IP from the Java applet on port 80 and
then issue HTTP requests like:
GET / HTTP/1.1
Host: www.anydomainilike.example.com
Of course, my own server wouldn't honour that request as I have no vhost
for anydomainilike.example.com, but if a transparent web proxy
intercepts the connection, it will perform the request.
In essence, if you have a transparent web proxy, and you visit a website
with a Java app like I described, it can make http requests against any
website it likes, from your very own PC.
If you can, you're better off manually configuring your web browsers to
use a non-transparent proxy, than setting it up in a transparent fashion.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/
More information about the Nottingham
mailing list