Securiser reverse proxy squid
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bonjour,
je travaille actuellement sur une solution de reverse proxy avec Squid
pour accelerer et economiser la bande passante de mes serveurs.
J'ai lu qu'il y avait des risques de securite avec les proxy...
surtout quand ils
sont mal configures.
Avez vous des infos sur le sujet ?
(parametrage a eviter ou autre)
merci
Mon squid.conf:
########################
http_port 80
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
cache_dir ufs /var/spool/squid 100 16 256
refresh_pattern \.(gif|jpg|jpeg|png)$ 600 80% 86400
refresh_pattern \.(xbm|xpm|ico|tiff)$ 600 80% 86400
refresh_pattern \.(au|snd|wav|ra|mid)$ 600 80% 86400
refresh_pattern \.(qt|mov|avi|mpeg)$ 600 80% 86400
refresh_pattern \.(iv|wrl|vrml)$ 600 80% 86400
refresh_pattern \.(Z|gz)$ 600 80% 86400
refresh_pattern \.(hqx|bin)$ 600 80% 86400
refresh_pattern \.(tar|zip)$ 600 80% 86400
refresh_pattern ^http:// 30 50% 86400
refresh_pattern ^ftp:// 30 50% 86400
refresh_pattern . 30 30% 43200
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
log_fqdn on
hosts_file /etc/hosts
acl www_domaine_com dst 1.2.3.4
acl acceleratedPort port 80
http_access allow www_domain_com acceleratedPort
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
httpd_accel_port 0
httpd_accel_host virtual
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
coredump_dir /var/spool/squid
##############################
- --
Generation Libre
Site d'information et d'entraide aux logiciels libres
http://www.generation-libre.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDYqAzTjhuX2IovwsRAkHNAKC6iAvTml9YeTKEPX+NZEhAyCDCcwCguoPx
usc0sXXYlZjz3OwNnNP79lQ=
=14Mc
-----END PGP SIGNATURE-----
Reply to: