[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is chrooting apache behind a reverse proxy useful ?

"Clean data" ?? 

Squid _may_ not forward requests that upset Apache, but will it
never forward requests that upset any application (php/perl/whatever) ?

Does Squid understand that ?'s are valid in your usernames? no.
Just one application bug could give an attacker elevated access, but
in a chroot you (pretty much) 'cap' what that access could be.

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom@devitto.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Where do you want to go today?  Same as every day.... Windows Update.

-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf Of
Chuck Yerkes
Sent: Friday, April 30, 2004 11:29 PM
To: misc@openbsd.org
Subject: Re: Is chrooting apache behind a reverse proxy useful ?

Quoting Joel CARNAT (joel@carnat.net):
> Hi,
> 
> I have Squid doing reverse-proxy to Apache on some other behind-NAT
server. 
When Apache is directly reachable, I'm used to chrooting it. I'm just
wonderin g if it still makes sense to do this if all the requests it gets
comes from a reverse-proxy (as exploits on Apache must be different than
those on Squid) ?

If so, then I can form an exploit for apache and pass it THROUGH squid.

I've used hard core proxies that only allow certain requests, check buffers,
etc.  Those have fallen by the way side as the web grew and managing those
proxies meant losing user-needed features.

Do you trust squid to only pass "CLEAN" data back to apache?