ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Kev tso tawm ruaj khov ntawm Squid 5 proxy server

Kev tso tawm ruaj khov ntawm Squid 5 proxy server

Tom qab peb xyoos ntawm txoj kev loj hlob, kev tso tawm ruaj khov ntawm Squid 5.1 proxy server tau nthuav tawm, npaj rau kev siv ntawm cov tshuab tsim khoom (tso tawm 5.0.x muaj cov xwm txheej ntawm beta versions). Tom qab 5.x ceg tau muab cov xwm txheej ruaj khov, txij li tam sim no tsuas yog kho rau qhov tsis zoo thiab teeb meem kev ruaj ntseg yuav ua rau hauv nws, thiab kev kho me me kuj raug tso cai. Txoj kev loj hlob ntawm cov yam ntxwv tshiab yuav tau ua nyob rau hauv qhov kev sim tshiab 6.0. Cov neeg siv yav dhau los ruaj khov 4.x ceg tau qhia kom npaj txav mus rau 5.x ceg.

Kev tsim kho tshiab tseem ceeb hauv Squid 5:

  • Kev siv ntawm ICAP (Internet Content Adaptation Protocol), siv rau kev koom ua ke nrog cov ntaub ntawv pov thawj sab nraud, tau ntxiv kev txhawb nqa rau cov ntaub ntawv txuas nrog cov txheej txheem (trailer), uas tso cai rau koj txuas ntxiv headers nrog metadata rau cov lus teb, muab tso rau tom qab cov lus. lub cev (piv txwv li, koj tuaj yeem xa daim tshev thiab cov ntsiab lus hais txog cov teeb meem uas tau txheeb xyuas).
  • Thaum redirecting thov, "Happy Eyeballs" algorithm yog siv, uas tam sim ntawd siv tus IP chaw nyob uas tau txais, tsis tau tos rau tag nrho cov muaj peev xwm muaj IPv4 thiab IPv6 lub hom phiaj chaw nyob yuav tsum tau daws. Hloov chaw ntawm kev siv "dns_v4_first" los txiav txim seb puas siv tsev neeg IPv4 lossis IPv6 chaw nyob, qhov kev txiav txim ntawm DNS teb tam sim no suav nrog: yog tias cov lus teb DNS AAAA tuaj txog ua ntej thaum tos qhov chaw nyob IP los daws, ces qhov Qhov chaw nyob IPv6 yuav raug siv. Yog li, teeb tsa tsev neeg nyiam tam sim no ua tiav ntawm firewall, DNS lossis qib pib nrog "--disable-ipv6" kev xaiv. Qhov kev hloov pauv tau tso cai rau peb txhawm rau txhawm rau txhim kho lub sijhawm teeb tsa ntawm TCP kev sib txuas thiab txo qis kev ua haujlwm cuam tshuam ntawm kev ncua sij hawm DNS daws teeb meem.
  • Rau kev siv nyob rau hauv "external_acl" cov lus qhia, tus "ext_kerberos_sid_group_acl" handler tau ntxiv rau authentication nrog pab pawg xyuas hauv Active Directory siv Kerberos. Txhawm rau nug cov npe pab pawg, siv ldapsearch utility muab los ntawm OpenLDAP pob.
  • Kev them nyiaj yug rau Berkeley DB hom tau raug txiav tawm vim muaj teeb meem kev tso cai. Berkeley DB 5.x ceg tsis tau khaws cia rau ntau xyoo thiab tseem nyob nrog qhov tsis muaj qhov tsis zoo, thiab kev hloov pauv mus rau kev tshaj tawm tshiab yog tiv thaiv los ntawm kev hloov pauv daim ntawv tso cai rau AGPLv3, cov kev cai uas tseem siv tau rau cov ntawv thov uas siv BerkeleyDB hauv daim ntawv ntawm lub tsev qiv ntawv - Squid yog muab los ntawm GPLv2 daim ntawv tso cai, thiab AGPL tsis sib xws nrog GPLv2. Hloov chaw ntawm Berkeley DB, qhov project tau pauv mus rau kev siv TrivialDB DBMS, uas, tsis zoo li Berkeley DB, tau ua kom zoo rau tib lub sijhawm nkag mus rau hauv cov ntaub ntawv. Berkeley DB kev txhawb nqa yog khaws cia rau tam sim no, tab sis "ext_session_acl" thiab "ext_time_quota_acl" handlers tam sim no pom zoo siv hom "libtdb" cia hom tsis yog "libdb".
  • Ntxiv kev txhawb nqa rau CDN-Loop HTTP header, txhais hauv RFC 8586, uas tso cai rau koj los txheeb xyuas cov voj voog thaum siv cov ntsiab lus xa tawm (lub header muab kev tiv thaiv cov xwm txheej thaum thov nyob rau hauv tus txheej txheem ntawm redirecting ntawm CDNs rau qee qhov laj thawj rov qab mus rau qhov thawj CDN, tsim lub voj tsis kawg).
  • SSL-Bump mechanism, uas tso cai rau koj los cuam tshuam cov ntsiab lus ntawm kev sib tham HTTPS, tau ntxiv kev txhawb nqa rau redirecting spoofed (rov-encrypted) HTTPS thov los ntawm lwm cov npe servers teev nyob rau hauv cache_peer, siv lub qhov tsis tu ncua raws li HTTP CONNECT txoj kev ( Kev xa tawm ntawm HTTPS tsis txaus siab, vim Squid tseem tsis tuaj yeem thauj TLS hauv TLS). SSL-Bump tso cai rau koj los tsim TLS kev sib txuas nrog lub hom phiaj server thaum tau txais thawj qhov kev thov HTTPS thiab tau txais nws daim ntawv pov thawj. Tom qab no, Squid siv lub npe hostname los ntawm daim ntawv pov thawj tiag tiag tau txais los ntawm cov neeg rau zaub mov thiab tsim daim ntawv pov thawj dummy, uas nws ua raws li cov neeg siv khoom thov thaum cuam tshuam nrog tus neeg siv khoom, thaum txuas ntxiv siv TLS kev sib txuas tsim nrog lub hom phiaj server kom tau txais cov ntaub ntawv ( yog li ntawd qhov kev hloov pauv tsis ua rau cov lus ceeb toom tawm hauv browsers ntawm tus neeg siv khoom, koj yuav tsum ntxiv koj daim ntawv pov thawj siv los tsim cov ntawv pov thawj tsis tseeb rau hauv lub hauv paus daim ntawv pov thawj khw).
  • Ntxiv mark_client_connection thiab mark_client_pack cov lus qhia txhawm rau khi Netfilter cov cim (CONNMARK) rau cov neeg siv khoom sib txuas TCP lossis ib pob ntawv.

Kub ntawm lawv lub luj taws, qhov kev tso tawm ntawm Squid 5.2 thiab Squid 4.17 tau luam tawm, nyob rau hauv uas qhov tsis zoo tau raug kho:

  • CVE-2021-28116 - Cov ntaub ntawv xau thaum ua cov lus tshwj xeeb uas tsim los ntawm WCCPv2. Qhov tsis txaus ntseeg tso cai rau tus neeg tawm tsam ua txhaum cov npe ntawm WCCP routers paub thiab hloov tsheb khiav los ntawm cov neeg siv khoom siv npe rau lawv tus tswv tsev. Qhov teeb meem tsuas yog tshwm sim hauv kev teeb tsa nrog WCCPv2 kev txhawb nqa tau qhib thiab thaum nws tuaj yeem ua rau tus router tus IP chaw nyob.
  • CVE-2021-41611 - Ib qho teeb meem hauv TLS daim ntawv pov thawj pov thawj tso cai nkag mus siv cov ntawv pov thawj tsis ntseeg.

Tau qhov twg los: opennet.ru

Ntxiv ib saib