File: FAQ-25.html

package info (click to toggle)
squid 2.6.5-6etch5
  • links: PTS
  • area: main
  • in suites: etch
  • size: 12,540 kB
  • ctags: 13,801
  • sloc: ansic: 105,278; sh: 6,083; makefile: 1,297; perl: 1,245; awk: 40
file content (64 lines) | stat: -rw-r--r-- 2,408 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>SQUID Frequently Asked Questions: Security Concerns</TITLE>
 <LINK HREF="FAQ-24.html" REL=previous>
 <LINK HREF="FAQ.html#toc25" REL=contents>
</HEAD>
<BODY>
Next
<A HREF="FAQ-24.html">Previous</A>
<A HREF="FAQ.html#toc25">Contents</A>
<HR>
<H2><A NAME="s25">25.</A> <A HREF="FAQ.html#toc25">Security Concerns</A></H2>

<H2><A NAME="ss25.1">25.1</A> <A HREF="FAQ.html#toc25.1">Open-access proxies</A>
</H2>

<P>Squid's default configuration file denies all client requests.  It is the
administrator's responsibility to configure Squid to allow access only
to trusted hosts and/or users.</P>
<P>If your proxy allows access from untrusted hosts or users, you can be
sure that people will find and abuse your service.  Some people
will use your proxy to make their browsing anonymous.  Others will
intentionally use your proxy for transactions that may be illegal
(such as credit card fraud).  A number of web sites exist simply
to provide the world with a list of open-access HTTP proxies.  You
don't want to end up on this list.</P>
<P>Be sure to carefully design your access control scheme.  You should
also check it from time to time to make sure that it works as you
expect. </P>

<H2><A NAME="ss25.2">25.2</A> <A HREF="FAQ.html#toc25.2">Mail relaying</A>
</H2>

<P>SMTP and HTTP are rather similar in design.  This, unfortunately, may
allow someone to relay an email message through your HTTP proxy.  To
prevent this, you must make sure that your proxy denies HTTP requests
to port 25, the SMTP port.</P>
<P>Squid is configured this way by default.  The default <EM>squid.conf</EM>
file lists a small number of trusted ports.  See the <EM>Safe_ports</EM>
ACL in <EM>squid.conf</EM>.  Your configuration file should always deny
unsafe ports early in the <EM>http_access</EM> lists:
<PRE>
http_access deny !Safe_ports
(additional http_access lines ...)
</PRE>
</P>
<P>Do NOT add port 25 to <EM>Safe_ports</EM> (unless your goal is to end
up in the 
<A HREF="http://mail-abuse.org/rbl/">RBL</A>).  You may
want to make a cron job that regularly verifies that your proxy blocks
access to port 25.</P>
<P>
<PRE>
$Id: FAQ.sgml,v 1.263 2006/03/16 10:03:08 hno Exp $
</PRE>
</P>
<HR>
Next
<A HREF="FAQ-24.html">Previous</A>
<A HREF="FAQ.html#toc25">Contents</A>
</BODY>
</HTML>