False使用squid代理配置mod_rewrite/mod_proxy

Question

我们正在使用squid作为我们的应用程序之一，并且我们从网站收到滥用消息，说He used xrumer or other Tools or had a false configured mod_rewrite/mod_proxy who is abused。

我们怀疑其他人是否正在代表我们使用这些squid代理，或者这些配置实际上没有正确设置。我对squid或Apache mod规则没有多少经验。

可能是什么问题？

的squid.conf是提前

####### 
####### Recommended minimum Access Permission configuration: 
####### 
####### Only allow cachemgr access from localhost 
http_access allow manager localhost 
http_access deny manager 
####### Deny requests to certain unsafe ports 
http_access deny !Safe_ports 
####### Deny CONNECT to other than secure SSL ports 
http_access deny CONNECT !SSL_ports 
####### We strongly recommend the following be uncommented to protect innocent 
####### web applications running on the proxy server who think the only 
####### one who can access services on "localhost" is a local user 
#######http_access deny to_localhost 
####### 
####### Recommended minimum configuration: 
####### 
acl all src all 
acl manager proto cache_object 
acl localhost src 127.0.0.1/32 ::1 
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 
####### Example rule allowing access from your local networks. 
####### Adapt to list your (internal) IP networks from where browsing 
####### should be allowed 
acl localnet src 10.0.0.0/8  ####### RFC1918 possible internal network 
acl localnet src 172.16.0.0/12 ####### RFC1918 possible internal network 
acl localnet src 192.168.0.0/16 ####### RFC1918 possible internal network 
acl localnet src fc00::/7  ####### RFC 4193 local private network range 
acl localnet src fe80::/10  ####### RFC 4291 link-local (directly plugged) machines 
acl SSL_ports port 443 
acl Safe_ports port 80   ####### http 
acl Safe_ports port 21   ####### ftp 
acl Safe_ports port 443   ####### https 
acl Safe_ports port 70   ####### gopher 
acl Safe_ports port 210   ####### wais 
acl Safe_ports port 1025-65535 ####### unregistered ports 
acl Safe_ports port 280   ####### http-mgmt 
acl Safe_ports port 488   ####### gss-http 
acl Safe_ports port 591   ####### filemaker 
acl Safe_ports port 777   ####### multiling http 
acl CONNECT method CONNECT 
####### 
####### INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS 
####### 
####### Example rule allowing access from your local networks. 
####### Adapt localnet in the ACL section to list your (internal) IP networks 
####### from where browsing should be allowed 
http_access allow localnet 
http_access allow localhost 
####### Changed by XYZ (XYZ@ABC) to allow http_access from ALL 
http_access allow all 
####### And finally deny all other access to this proxy. Changed by Ankit Narang (ankitn@amazon.com). 
#######http_access deny all 
####### Squid normally listens to port 3128 
http_port 80 
####### We recommend you to use at least the following line. 
hierarchy_stoplist cgi-bin ? 
####### Uncomment and adjust the following to add a disk cache directory. 
#######cache_dir ufs /var/spool/squid 100 16 256 
####### Leave coredumps in the first cache dir 
coredump_dir /var/spool/squid 
####### Add any of your own refresh_pattern entries above these. 
refresh_pattern ^ftp:   1440 20%  10080 
refresh_pattern ^gopher:  1440 0%  1440 
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0 
refresh_pattern .    0  20%  4320 
####### Changed by Ankit Narang (ankitn@amazon.com) 
forwarded_for off 
access_log none 
#######Making Squid an anonymous proxy 
request_header_access Allow allow all 
request_header_access Authorization allow all 
request_header_access WWW-Authenticate allow all 
request_header_access Proxy-Authorization allow all 
request_header_access Proxy-Authenticate allow all 
request_header_access Cache-Control allow all 
request_header_access Content-Encoding allow all 
request_header_access Content-Length allow all 
request_header_access Content-Type allow all 
request_header_access Date allow all 
request_header_access Expires allow all 
request_header_access Host allow all 
request_header_access If-Modified-Since allow all 
request_header_access Last-Modified allow all 
request_header_access Location allow all 
request_header_access Pragma allow all 
request_header_access Accept allow all 
request_header_access Accept-Charset allow all 
request_header_access Accept-Encoding allow all 
request_header_access Accept-Language allow all 
request_header_access Content-Language allow all 
request_header_access Mime-Version allow all 
request_header_access Retry-After allow all 
request_header_access Title allow all 
request_header_access Connection allow all 
request_header_access Proxy-Connection allow all 
request_header_access User-Agent allow all 
request_header_access Cookie allow all 
request_header_access All deny all 

感谢。

Answer 1

http_access allow all 

这确实是错误的。你已经配置了一个开放的代理，所以世界上的每个人都可以使用你的代理来浏览网页。我完全不知道你的scensario，当你必须以某种方式限制访问。

例如，如果你正在使用squid作为反向代理，你应该允许只访问后端的Web服务器：

acl webserver dst x.x.x.x 
http_access allow webserver 
http_access deny all 

如果您使用的是代理与正向代理浏览网页：

ACL的MyNetwork SRC XXXX/Y 的http_access允许的MyNetwork 的http_access拒绝所有

您可以ALGO使用验证。