[Nottingham] apache or squid for proxying?
Mike Cardwell
nlug at lists.grepular.com
Wed Oct 14 17:26:12 UTC 2009
Martin wrote:
>> I don't know. Do any ISPs use transparent web proxies anymore?
>
> (transparent) proxy != web cache somewhere on ISP network?
>
>
> Is this no longer used:
>
> http://homepage.ntlworld.com/robin.d.h.walker/cmtips/trancache.html#ntl
>
>
> Or what do ISPs do to cache often hit sites outside of their network? Or
> don't they?
I don't know the answers to those questions.
>>> Wouldn't a simple firewall rule to block direct connects to the proxy IP
>>> address thwart such maliciousness?
>> That's the thing. The java app isn't making a direct connection to the
>> proxy IP. It is making a direct connection to the only IP it is allowed
>> to, the IP of the web server it came from. It is the fact that a
>> transparent proxy intercepts that connection which is what causes the hole.
>
> OK, so:
>
> rogue website ---- proxy ---- home PC
>
> and so the java script running on the home PC uses that home PC as a
> proxy for the rogue website to do further nasties to the rest of the
> world anonymously... OK, but how is that any different for whether the
> proxy is there or not?
>
> Or is that just an example of something the proxy /cannot/ protect against?
Just to be clear, you can't do any of this with javascript. javascript
is entirely different to java.
The difference is this. A java applet can only make a straight tcp
socket connection to the web server it came from, to prevent obvious
abuse vectors.
If you have a transparent web proxy, it can connect to any web server it
chooses.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/
More information about the Nottingham
mailing list