On 11/07/2014 2:34 p.m., freefall12 wrote:
> some http proxy service providers here just assigned an unique proxy address
> and port to a user, and the user just need to enter the necessary proxy
> address and port to get access.I think this method is superior to username
> and password authentication, and also,this makes it possible to proxy a lot
> of mobile apps on ios devices and android which don't support traditional
> proxy authentication. i found they are using squid for caching and proxying.
> can squid alone achieve this? Thank you
>
The myportname type ACL is used to match the Squid listening http_port.
* be aware that there is zero security verification that the client
accessing the port is the one you believe it to be. It is far inferior
to authentication, and this type of proxy protection can leave your
Squid as an "open proxy" / "open relay".
For matching remote client IP:port details it is not possible because
the source port is randomised by TCP on every connection. Beyond that
killer problem all modern clients have between 2 and 8 IP addresses, and
the IPv6 so-called "privacy address" changes its value randomly every
few minutes.
On the subject of superiority, allowing an unverified access is inferior
to allowing a verified access. Authentication is simply the name for
*the* process of verifing some details are from the source they claim to
be (whether that detail be an IP:port or a user:password).
So by definition authorizing access to an IP:port without
authenticating the IP:port values first is inferior security.
Yes allowing based on IP:port (or just IP as usually done) allows a lot
of applications that are not compliant with HTTP through the proxy. It
also allows a lot of attack types to happen far more easily. Your choice.
Amos
Received on Fri Jul 11 2014 - 04:57:56 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 11 2014 - 12:00:04 MDT