Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address
mån 2009-08-17 klockan 14:08 +1200 skrev Amos Jeffries: ´ > For this usage 127.* is not a bogon at all. > Yet 0.0.0.0 in it's place would be completely insane despite any > trickery the TCP stack might do to cope. Is it? It either goes to 127.0.0.1 or nowhere.. Regards Henrik
Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address
Henrik Nordstrom wrote: sön 2009-08-16 klockan 19:17 +1200 skrev Amos Jeffries: Aha. Just connect() then? not really bind() or listen()? Correct. Bind to 0.0.0.0 is "any address". I'm thinking that aliasing has already been done before Squid gets such packets at the 'other end'. So that we only see the real localhost IP if its intercepted. Right? 0.0.0.0 is not valid for use on the wire. I would expect stacks to discard such packets. Problem might be DNS on forward proxy traffic, but thats validated out of existence to a NXDOMAIN. ? Leaving only hosts file entries. I know 0.0.0.0 is used to boganize domain names at times. Because it doesn't resolve! For the intended use of the ACL as you highlight, yes I agree it's a good change. It may not be good for the reality situation though. Well, it's the same thing so doesn't matter really. What about a bogons ACL for less confusion? dst 0.0.0.0 is not more bogon than dst 127.0.0.1. Yes it is. Consider the virtual host setup with DNS views: foo.example.com -> 1.2.3.4 (when the public checks) foo.example.com -> 127.0.0.1 (when Squid checks) Squid listening on 1.2.3.4.:80 Apache listening on 127.0.0.1:80 Based on what ACL the admin can see in the config file and what they need to do squid.conf very often gets this: http_access allow to_localhost cache_peer_access apache allow to_localhost For this usage 127.* is not a bogon at all. Yet 0.0.0.0 in it's place would be completely insane despite any trickery the TCP stack might do to cope. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address
sön 2009-08-16 klockan 19:17 +1200 skrev Amos Jeffries: > Aha. Just connect() then? not really bind() or listen()? Correct. Bind to 0.0.0.0 is "any address". > I'm thinking that aliasing has already been done before Squid gets such > packets at the 'other end'. So that we only see the real localhost IP if > its intercepted. Right? 0.0.0.0 is not valid for use on the wire. I would expect stacks to discard such packets. > Problem might be DNS on forward proxy traffic, but thats validated out > of existence to a NXDOMAIN. ? > Leaving only hosts file entries. I know 0.0.0.0 is used to boganize > domain names at times. Because it doesn't resolve! > For the intended use of the ACL as you highlight, yes I agree it's a > good change. It may not be good for the reality situation though. Well, it's the same thing so doesn't matter really. > What about a bogons ACL for less confusion? dst 0.0.0.0 is not more bogon than dst 127.0.0.1. Regards Henrik
Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address
Henrik Nordstrom wrote: sön 2009-08-16 klockan 18:20 +1200 skrev Amos Jeffries: Henrik Nordstrom wrote: revno: 9907 committer: Henrik Nordstrom branch nick: trunk timestamp: Sat 2009-08-15 14:56:39 +0200 message: Add 0.0.0.0 as an to_localhost address Many TCP/IP(v4) stacks aliases 0.0.0.0 as 127.0.0.1. modified: src/cf.data.pre Can you clue me in on this one please Henrik? See the note next to where to_localhost is used: # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost Why/What broken remote external clients are sending the reserved ANY_ADDR as the public global-scope destination? This seems to me akin to connecting a remote servers port 0. Any client requesting a host that resolves to 0.0.0.0 or that IP explicitly. Side-note: How can we expect wildcard port bindings to work on those machines when the ANY_ADDR (wildcard) IP is aliased to localhost-only? Not sure what you see as a problem. connect(0.0.0.0:80) and connect(127.0.0.1:80) is the same thing on many OS:es for stupid historic reasons. Aha. Just connect() then? not really bind() or listen()? I'm thinking that aliasing has already been done before Squid gets such packets at the 'other end'. So that we only see the real localhost IP if its intercepted. Right? Problem might be DNS on forward proxy traffic, but thats validated out of existence to a NXDOMAIN. Leaving only hosts file entries. I know 0.0.0.0 is used to boganize domain names at times. Because it doesn't resolve! and this acl is for blocking clients trying to make the proxy connect to 127.0.0.1. Ah, In the last year or so of checking peoples configs I've seen that ACL used more for _allowing_ localhost access. For example; to allow public access to squid-cgi, apache, other squid agents on the same server. For the intended use of the ACL as you highlight, yes I agree it's a good change. It may not be good for the reality situation though. What about a bogons ACL for less confusion? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address
sön 2009-08-16 klockan 18:20 +1200 skrev Amos Jeffries: > Henrik Nordstrom wrote: > > > > revno: 9907 > > committer: Henrik Nordstrom > > branch nick: trunk > > timestamp: Sat 2009-08-15 14:56:39 +0200 > > message: > > Add 0.0.0.0 as an to_localhost address > > > > Many TCP/IP(v4) stacks aliases 0.0.0.0 as 127.0.0.1. > > modified: > > src/cf.data.pre > > > > Can you clue me in on this one please Henrik? See the note next to where to_localhost is used: # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost > Why/What broken remote external clients are sending the reserved > ANY_ADDR as the public global-scope destination? This seems to me akin > to connecting a remote servers port 0. Any client requesting a host that resolves to 0.0.0.0 or that IP explicitly. > Side-note: How can we expect wildcard port bindings to work on those > machines when the ANY_ADDR (wildcard) IP is aliased to localhost-only? Not sure what you see as a problem. connect(0.0.0.0:80) and connect(127.0.0.1:80) is the same thing on many OS:es for stupid historic reasons. and this acl is for blocking clients trying to make the proxy connect to 127.0.0.1. Regards Henrik
Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address
Henrik Nordstrom wrote: revno: 9907 committer: Henrik Nordstrom branch nick: trunk timestamp: Sat 2009-08-15 14:56:39 +0200 message: Add 0.0.0.0 as an to_localhost address Many TCP/IP(v4) stacks aliases 0.0.0.0 as 127.0.0.1. modified: src/cf.data.pre Can you clue me in on this one please Henrik? Why/What broken remote external clients are sending the reserved ANY_ADDR as the public global-scope destination? This seems to me akin to connecting a remote servers port 0. Side-note: How can we expect wildcard port bindings to work on those machines when the ANY_ADDR (wildcard) IP is aliased to localhost-only? Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
