False configured mod_rewrite/mod_proxy with squid proxy

Question

우리는 우리의 응용 프로그램 중 하나에 squid를 사용하고 있으며 He used xrumer or other Tools or had a false configured mod_rewrite/mod_proxy who is abused이라는 웹 사이트에서 악용 메시지를 받고 있습니다.

우리가 누군가를 대신하여이 오징어 프록시를 사용하고 있거나 실제로 이러한 구성이 제대로 설정되지 않았는지 의심 스럽습니다. 나는 오징어 나 아파치 모듈 규칙에 대한 많은 경험이 없다.

무슨 문제 일 수 있습니까?

이는 squid.conf 사전에

####### 
####### Recommended minimum Access Permission configuration: 
####### 
####### Only allow cachemgr access from localhost 
http_access allow manager localhost 
http_access deny manager 
####### Deny requests to certain unsafe ports 
http_access deny !Safe_ports 
####### Deny CONNECT to other than secure SSL ports 
http_access deny CONNECT !SSL_ports 
####### We strongly recommend the following be uncommented to protect innocent 
####### web applications running on the proxy server who think the only 
####### one who can access services on "localhost" is a local user 
#######http_access deny to_localhost 
####### 
####### Recommended minimum configuration: 
####### 
acl all src all 
acl manager proto cache_object 
acl localhost src 127.0.0.1/32 ::1 
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 
####### Example rule allowing access from your local networks. 
####### Adapt to list your (internal) IP networks from where browsing 
####### should be allowed 
acl localnet src 10.0.0.0/8  ####### RFC1918 possible internal network 
acl localnet src 172.16.0.0/12 ####### RFC1918 possible internal network 
acl localnet src 192.168.0.0/16 ####### RFC1918 possible internal network 
acl localnet src fc00::/7  ####### RFC 4193 local private network range 
acl localnet src fe80::/10  ####### RFC 4291 link-local (directly plugged) machines 
acl SSL_ports port 443 
acl Safe_ports port 80   ####### http 
acl Safe_ports port 21   ####### ftp 
acl Safe_ports port 443   ####### https 
acl Safe_ports port 70   ####### gopher 
acl Safe_ports port 210   ####### wais 
acl Safe_ports port 1025-65535 ####### unregistered ports 
acl Safe_ports port 280   ####### http-mgmt 
acl Safe_ports port 488   ####### gss-http 
acl Safe_ports port 591   ####### filemaker 
acl Safe_ports port 777   ####### multiling http 
acl CONNECT method CONNECT 
####### 
####### INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
####### 
####### Example rule allowing access from your local networks. 
####### Adapt localnet in the ACL section to list your (internal) IP networks 
####### from where browsing should be allowed 
http_access allow localnet 
http_access allow localhost 
####### Changed by XYZ (XYZ@ABC) to allow http_access from ALL 
http_access allow all 
####### And finally deny all other access to this proxy. Changed by Ankit Narang (ankitn@amazon.com). 
#######http_access deny all 
####### Squid normally listens to port 3128 
http_port 80 
####### We recommend you to use at least the following line. 
hierarchy_stoplist cgi-bin ? 
####### Uncomment and adjust the following to add a disk cache directory. 
#######cache_dir ufs /var/spool/squid 100 16 256 
####### Leave coredumps in the first cache dir 
coredump_dir /var/spool/squid 
####### Add any of your own refresh_pattern entries above these. 
refresh_pattern ^ftp:   1440 20%  10080 
refresh_pattern ^gopher:  1440 0%  1440 
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0 
refresh_pattern .    0  20%  4320 
####### Changed by Ankit Narang (ankitn@amazon.com) 
forwarded_for off 
access_log none 
#######Making Squid an anonymous proxy 
request_header_access Allow allow all 
request_header_access Authorization allow all 
request_header_access WWW-Authenticate allow all 
request_header_access Proxy-Authorization allow all 
request_header_access Proxy-Authenticate allow all 
request_header_access Cache-Control allow all 
request_header_access Content-Encoding allow all 
request_header_access Content-Length allow all 
request_header_access Content-Type allow all 
request_header_access Date allow all 
request_header_access Expires allow all 
request_header_access Host allow all 
request_header_access If-Modified-Since allow all 
request_header_access Last-Modified allow all 
request_header_access Location allow all 
request_header_access Pragma allow all 
request_header_access Accept allow all 
request_header_access Accept-Charset allow all 
request_header_access Accept-Encoding allow all 
request_header_access Accept-Language allow all 
request_header_access Content-Language allow all 
request_header_access Mime-Version allow all 
request_header_access Retry-After allow all 
request_header_access Title allow all 
request_header_access Connection allow all 
request_header_access Proxy-Connection allow all 
request_header_access User-Agent allow all 
request_header_access Cookie allow all 
request_header_access All deny all 

감사합니다.

Answer 1

http_access allow all 

확실히 틀린 말입니다. 오픈 프록시를 구성 했으므로 전 세계의 모든 사람들이 프록시를 사용하여 웹 서핑을 할 수 있습니다. 나는 어떤 방식 으로든 액세스를 제한해야 할 때 정확하게 scensario를 모른다. 당신이 리버스 프록시로 오징어를 사용하는 경우

예를 들어, 당신은 단지 백엔드 웹 서버에 액세스를 허용해야합니다

acl webserver dst x.x.x.x 
http_access allow webserver 
http_access deny all 

를 웹을 찾아 앞으로 프록시 프록시를 사용하는 경우 :

를

ACL의 mynetwork의 SRC XXXX/Y http_access는 mynetwork http_access 모든

당신은 사용 인증을 너 한테 할 수 있습니다 거부 할 수 있습니다.