Re: [squid-users] allowing restricted sites via squid

sameer shinde wrote:
> On Tue, Feb 17, 2009 at 1:50 AM, Chris Robertson <crobertson_at_gci.net> wrote:
>
>
>> Very insecure, but...
>>
>
> not really....
> is because, although google gives you a domain name saying mail.ourdomain.com
> when you access the url, it gets redirected to mail.google.com/a/ourdomain.com
> It does not permanently allow you to work on mail.ourdomain.com
> Whereas the general gmail has a referral link as mail.google.com/mail
> This is the key difference between the site address which one can block on.
> With this it does not become insecure, as only the domain related
> websites will be
> accessible.
>
>
>
>> acl ourmail_referer referer_regex -i mail\.ourdomain\.com
>> acl gMail dstdomain .gmail.google.com
>> http_access allow gMail ourmail_referer
>>
>> ...would allow access to gmail.google.com if the referer header included the
>> string "mail.ourdomain.com". Be aware, this http_access rule would allow
>> ANYONE who can access your cache to access mail.google.com by faking the
>> referer.
>>
>
> Here as you've said ANYONE can access mail.google.com, but there it will not be.
>

I'll demonstrate using Squid:

acl gMail dstdomain .mail.google.com
# Deny the referer header when the destination domain is "*.mail.google.com"
header_access Referer deny gMail
# Replace the denied referer with "mail.ourdomain.com"
header_replace Referer mail.ourdomain.com

Now if I set my Squid up to use yours as a parent. I surf through my
proxy to a link to "mail.google.com". It doesn't matter where this link
is hosted, as my proxy replaces the Referer header with
"mail.ourdomain.com" and your proxy allows me through because it matched
the "http_access allow gMail ourmail_referer" on your proxy.

My example squid install is not needed (I can just fake the header
myself in a browser or a script), but it makes for an easy explanation
of the principle.

Granted, I would have to know that your proxy allows access to
mail.google.com with the correct referer, and I would need to know what
that referer is, but this is just security by obscurity, which while
useful as a layer, is not very good alone.

A much better http_access line would be...

http_access allow our_networks gMail ourmail_referer

...before the http_access rule that blocks mail.google.com. That would
still allow people inside your network to get to gmail just by faking
the header, but at least they are (hopefully) less likely to abuse your
proxy.

>
> ~~~~~~~~~~~~~~
> Sameer Shinde.
> M:- +91 98204 61580
> Millions saw the apple fall, but Newton was the one who asked why.
>

Chris
Received on Tue Feb 17 2009 - 21:07:32 MST