|
Server : Apache/2.2.2 (Fedora) System : Linux App1.pathumtani.go.th 2.6.20-1.2320.fc5smp #1 SMP Tue Jun 12 19:40:16 EDT 2007 i686 User : apache ( 48) PHP Version : 5.2.9 Disable Function : NONE Directory : /proc/self/root/usr/share/doc/squid-2.5.STABLE14/ |
Upload File : |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21"> <TITLE>SQUID Frequently Asked Questions: Security Concerns</TITLE> <LINK HREF="FAQ-24.html" REL=previous> <LINK HREF="FAQ.html#toc25" REL=contents> </HEAD> <BODY> Next <A HREF="FAQ-24.html">Previous</A> <A HREF="FAQ.html#toc25">Contents</A> <HR> <H2><A NAME="s25">25.</A> <A HREF="FAQ.html#toc25">Security Concerns</A></H2> <H2><A NAME="ss25.1">25.1</A> <A HREF="FAQ.html#toc25.1">Open-access proxies</A> </H2> <P>Squid's default configuration file denies all client requests. It is the administrator's responsibility to configure Squid to allow access only to trusted hosts and/or users.</P> <P>If your proxy allows access from untrusted hosts or users, you can be sure that people will find and abuse your service. Some people will use your proxy to make their browsing anonymous. Others will intentionally use your proxy for transactions that may be illegal (such as credit card fraud). A number of web sites exist simply to provide the world with a list of open-access HTTP proxies. You don't want to end up on this list.</P> <P>Be sure to carefully design your access control scheme. You should also check it from time to time to make sure that it works as you expect. </P> <H2><A NAME="ss25.2">25.2</A> <A HREF="FAQ.html#toc25.2">Mail relaying</A> </H2> <P>SMTP and HTTP are rather similar in design. This, unfortunately, may allow someone to relay an email message through your HTTP proxy. To prevent this, you must make sure that your proxy denies HTTP requests to port 25, the SMTP port.</P> <P>Squid is configured this way by default. The default <EM>squid.conf</EM> file lists a small number of trusted ports. See the <EM>Safe_ports</EM> ACL in <EM>squid.conf</EM>. Your configuration file should always deny unsafe ports early in the <EM>http_access</EM> lists: <PRE> http_access deny !Safe_ports (additional http_access lines ...) </PRE> </P> <P>Do NOT add port 25 to <EM>Safe_ports</EM> (unless your goal is to end up in the <A HREF="http://mail-abuse.org/rbl/">RBL</A>). You may want to make a cron job that regularly verifies that your proxy blocks access to port 25.</P> <P> <PRE> $Id: FAQ.sgml,v 1.156 2002/12/21 21:14:06 hno Exp $ </PRE> </P> <HR> Next <A HREF="FAQ-24.html">Previous</A> <A HREF="FAQ.html#toc25">Contents</A> </BODY> </HTML>