[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is chrooting apache behind a reverse proxy useful ?

To: misc@openbsd.org
Subject: Re: Is chrooting apache behind a reverse proxy useful ?
From: Chuck Yerkes <chuck+obsd@2004.snew.com>
Date: Sat, 1 May 2004 13:51:26 -0400
Content-Disposition: inline
References: <20040430222851.GC10081@2004.snew.com> <200405010752.i417qFMx019448@openbsd.cs.colorado.edu>
User-Agent: Mutt/1.4.2.1i

Quoting Dom De Vitto (dom@DeVitto.com):
> "Clean data" ?? 
> 
> Squid _may_ not forward requests that upset Apache, but will it
> never forward requests that upset any application (php/perl/whatever) ?
How's that?

> Does Squid understand that ?'s are valid in your usernames? no.
> Just one application bug could give an attacker elevated access, but
> in a chroot you (pretty much) 'cap' what that access could be.

re: clean data
Yes, ala the TIS FWTK when it came out (and DEC SEAL before it).
ftp to gateway (it's what we had) and from there connect to target.
  The proxy would block requests we didn't allow (GET, but no PUT).

The httpd proxy pretty well killed a pair of Alphas and allowed
only certain requrests.

So yes, a proxy does something to break the user from connecting
directly to a foreign (therefore presumed hostile) server.

But it will easily pass back hostile data through the proxy.
Unless the proxy "cleans" the data (well).

What was that old easy "hostile URL"?    telnet://localhost:19

References:
- Re: Is chrooting apache behind a reverse proxy useful ?
  - From: "Dom De Vitto" <dom@DeVitto.com>

Prev by Date: How do I download the ISO?
Next by Date: redirect dns query where router is offline
Prev by thread: Re: Is chrooting apache behind a reverse proxy useful ?
Next by thread: Re: Is chrooting apache behind a reverse proxy useful ?
Index(es):
- Date
- Thread