[Nottingham] apache or squid for proxying?

Martin martin at ml1.co.uk
Wed Oct 14 20:12:52 UTC 2009


Mike Cardwell wrote:
> Mike Cardwell wrote:
> 
>>> The difference is this. A java applet can only make a straight tcp 
>>> socket connection to the web server it came from, to prevent obvious 
>>> abuse vectors.
>>>
>>> If you have a transparent web proxy, it can connect to any web server it 
>>> chooses.
>> Here's a description of the issue: https://www.kb.cert.org/vuls/id/435052
>>
>> It seems some proxy servers have actually managed to fix the issue. I'm 
>> not sure what the fix is, but I'm going to look it up anyway as it's 
>> interesting stuff. Squid is still listed as vulnerable though. Apache 
>> isn't even listed on that page.
> 
> Right, afaics there is no fix. It is an inherent problem with 
> transparent web proxies which use the HTTP Host header to decide which 
> IP to connect to.
> 
> If you just set up a normal web proxy that doesn't do transparent 
> proxying, it's fine.

 From a bit of surfing around, there are claimed to be 'fixes' by 
various vendors although they give no details as to what the fix is. (Or 
even if it is just that they turn that feature off!)

Are there any proxies that also check the source and destination IPs as 
a check to thwart hijacking the connection?


The best comment I've seen if you're using a transparent proxy is to use 
Firefox with the NoScript add-on...


Thanks for that interesting one.

Cheers,
Martin

-- 
----------------
Martin Lomas
martin at ml1.co.uk
----------------



More information about the Nottingham mailing list