Re: Raptor 6.5 http vulnerability (fwd)

[Lincoln Yeoh <lyeoh () POP JARING MY>]

At 10:16 PM 27-03-2001 +1000, Peter Robinson wrote:
> Most http Proxy solutions (including squid and fw1) do this unless you
> specify otherwise.
> If you don't know what your doing... you don't know what your doing!!.
>
> Don't blame the software.....
>
> This is NOT a bug, just a feature  .. Often you want people to use their
> proxy to access web sites on other ports.

Actually it looks like bad design to me. It's common but bad. I blame the
software and the designers. I don't know why they're doing what they're doing.

They seem to be making a single proxy do the job of two or more proxies.
Just because it's a http proxy doesn't mean it should do everything to do
with http.

I think the different functions should be split to different software with
different goals.

e.g.
http proxy to protect internal clients from the big bad webservers outside.
With hooks for antivirus scanning etc.

http proxy for performance: client caching, which can be chained to the
"save the users" proxy.

http proxy to protect internal webservers from the naughty script kiddies
outside.

HTTP accelerator to speed things up for servers- load balancing, output
buffering etc. (Probably not on firewall).

You could combine some http client proxies, but I think it's a bad idea to
combine http client and server proxies into one big do everything proxy.
Why do that? It's seems like asking for trouble to me.

That said, I have not seen any mainstream vendor coming up with a
specialised http proxy to protect webservers. It's not easy to do right due
to the loads involved, but it should actually be simpler if the software is
specialised.

Cheerio,
Link.