[Nottingham] apache or squid for proxying?
Mike Cardwell
nlug at lists.grepular.com
Wed Oct 14 23:22:59 UTC 2009
Martin wrote:
>> Right, afaics there is no fix. It is an inherent problem with
>> transparent web proxies which use the HTTP Host header to decide which
>> IP to connect to.
>>
>> If you just set up a normal web proxy that doesn't do transparent
>> proxying, it's fine.
>
> From a bit of surfing around, there are claimed to be 'fixes' by
> various vendors although they give no details as to what the fix is. (Or
> even if it is just that they turn that feature off!)
The "fixes" that I've seen mentioned have just been damage limitation
exercises, but the hole remains open. E.g disabling the CONNECT method
and ports other than 80. That still leaves HTTP requests through port 80
wide open.
> Are there any proxies that also check the source and destination IPs as
> a check to thwart hijacking the connection?
If the proxy application knows the destination IP/port of the connection
that it is intercepting, then that would work. The problem is when the
proxy determines the destination IP by reading the HTTP Host header. I'm
sure there's a trick to it, but you can't just drop Apache/Squid on a
box and use iptables to redirect the connection without leaving the hole
open.
> The best comment I've seen if you're using a transparent proxy is to use
> Firefox with the NoScript add-on...
Yeah, a pretty poor solution though.
--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/
More information about the Nottingham
mailing list