[Nottingham] apache or squid for proxying?

Mike Cardwell nlug at lists.grepular.com
Wed Oct 14 18:10:23 UTC 2009


Mike Cardwell wrote:

>> The difference is this. A java applet can only make a straight tcp 
>> socket connection to the web server it came from, to prevent obvious 
>> abuse vectors.
>>
>> If you have a transparent web proxy, it can connect to any web server it 
>> chooses.
> 
> Here's a description of the issue: https://www.kb.cert.org/vuls/id/435052
> 
> It seems some proxy servers have actually managed to fix the issue. I'm 
> not sure what the fix is, but I'm going to look it up anyway as it's 
> interesting stuff. Squid is still listed as vulnerable though. Apache 
> isn't even listed on that page.

Right, afaics there is no fix. It is an inherent problem with 
transparent web proxies which use the HTTP Host header to decide which 
IP to connect to.

If you just set up a normal web proxy that doesn't do transparent 
proxying, it's fine.

-- 
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/



More information about the Nottingham mailing list