[squid-users] RE: proxying CONNECT method & chat clients WAS: Yahoo Messenger and MSN not working in squid

From: Bryan Ragon <bragon@dont-contact.us>
Date: Thu, 23 May 2002 09:50:34 -0400

Very true, everything you said. However, how to go about allowing this
connection to work was--as far as I was thinking--the minor point I was
trying to make. The major point was the consistent lack of useful replies
concerning topics of this nature. The simple "squid is a http only proxy"
is far less helpful then the informative and useful reply you have below.
Would is be possible to get a question in the FAQ detailing chat clients,
how it's technically _possible_ for squid to be configured for them to work,
and the reasons why it's not reccomended? (I know I searched the FAQ's for
an answer before I posted my original question several months back, and I
just checked again last night). That could hopefully cut down on at least
some of these questions (we all know we'll still get people posting w/o
reading the FAQ).

You obviously know more about http proxies & methods that I: Is allowing
the CONNECT method to only a specific host at a specific IP a security hole,
or does it take a more "open" set of acl's to create a security breach? How
could this be abused? I'm sure there's a way, I just want to make sure I
cover all my bases.

Thanks,
Bryan

-----Original Message-----
From: Squid Support (Henrik Nordstrom) [mailto:hno@marasystems.com]
Sent: Thursday, May 23, 2002 9:40 AM
To: Bryan Ragon; squid-users@squid-cache.org
Subject: Re: [squid-users] Yahoo Messenger and MSN not working in squid

You mean that many chat clients support gross abuse of a "HTTP Proxy" to
proxy their non-HTTP protocol.
CONNECT is a very dangerous method HTTP proxy method. You should not lift
the
access controls on this method lightly. If you need a more generic proxy
then
consider installing a SOCKS proxy (most such clients also supports SOCKS).
Abusing a HTTP proxy in this manner is not by far a correct approach, even
if
it appears to get the job done..

Bryan Ragon wrote:
> I don't know the answer to the original question (Missed it when it went
> through), but why is it whenever someone asks about a chat client and why
> it doesn't work through squid, the canned answer is always "Squid is a
HTTP
> only proxy." Yes, we know that. But are you forgetting that almost every
> chat client out there supports HTTP proxies? In that case as long as your

>
> A more helpful answer would be:
> "Squid only supports http requests, so you need to be certain that your
> chat client supports using a http proxy and that it is configured to
> connect to your squid server at the right server and port."

> -----Original Message-----
> From: Marc Elsen [mailto:marc.elsen@imec.be]
> Sent: Wednesday, May 22, 2002 8:18 AM
> To: vinay thul
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Yahoo Messenger and MSN not working in squid
>
> vinay thul wrote:
> > I have configured the squid on linux 7.0 and it is
> > working fine for the browsing the internet.
> > But in this configuration Yahoo Messenger and MSN
> > messenger programs are not working.
>
> Note that SQUID is a http proxy only.
>
> M.
Received on Thu May 23 2002 - 07:55:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:12 MST