ProHoster > Блог > ozi ịntanetị > Ntọhapụ kwụsiri ike nke sava proxy Squid 5

Ntọhapụ kwụsiri ike nke sava proxy Squid 5

Mgbe afọ atọ nke mmepe gasịrị, ewepụtara ntọhapụ kwụsiri ike nke ihe nkesa proxy Squid 5.1, dị njikere maka ojiji na sistemụ mmepụta (mwepụta 5.0.x nwere ọkwa nke ụdị beta). Mgbe e nyechara ngalaba 5.x ọnọdụ kwụsiri ike, site ugbu a gaa n'ihu naanị ndozi maka adịghị ike na nsogbu nkwụsi ike na ya, a na-anabatakwa obere njikarịcha. A ga-eme mmepe nke atụmatụ ọhụrụ na ngalaba nnwale ọhụrụ 6.0. Ndị ọrụ nke ngalaba 4.x kwụsiri ike gara aga ka a dụrụ ọdụ ka ha mee atụmatụ ịkwaga na ngalaba 5.x.

Ihe ohuru ohuru na Squid 5:

  • Mmejuputa nke ICAP (Internet Content Adaptation Protocol), eji maka ntinye na sistemụ nkwenye ọdịnaya nke mpụga, agbakwunyela nkwado maka usoro ntinye data (trailer), nke na-enye gị ohere ijikọ ndị ọzọ nkụnye eji isi mee na metadata na nzaghachi, etinyere mgbe ozi ahụ gasịrị. ahu (dịka ọmụmaatụ, ị nwere ike izipu checksum na nkọwa gbasara nsogbu ndị achọpụtara).
  • Mgbe ị na-atụgharị arịrịọ, a na-eji algọridim “Anya Obi Ụtọ”, nke na-eji adreesị IP enwetara ozugbo, na-echeghị ka e dozie adreesị IPv4 na IPv6 niile enwere ike. Kama iburu n'uche ntọala "dns_v4_first" iji chọpụta ma a na-eji adreesị IPv4 ma ọ bụ IPv6 ezinụlọ, a na-eburu usoro nzaghachi DNS ugbu a: ma ọ bụrụ na nzaghachi DNS AAAA rutere na mbụ mgbe ị na-eche adreesị IP iji dozie, mgbe ahụ, a ga-eji adreesị IPv6 pụta. N'ihi ya, a na-emezi ezinaụlọ adreesị nke masịrị ya na firewall, DNS ma ọ bụ ọkwa mmalite na nhọrọ "--disable-ipv6". Mgbanwe a na-atụ aro na-enye anyị ohere ịme ngwa ngwa nhazi oge njikọ TCP ma belata mmetụta arụmọrụ nke igbu oge n'oge mkpebi DNS.
  • Maka iji na ntuziaka "external_acl", agbakwunyere onye njikwa "ext_kerberos_sid_group_acl" maka nyocha site na iji Kerberos nyochaa otu na Active Directory. Iji jụọ aha otu ahụ, jiri akụrụngwa ldapsearch nke ngwugwu OpenLDAP nyere.
  • Akwụsịla nkwado maka usoro Berkeley DB n'ihi okwu ikike. A naghị echekwa alaka Berkeley DB 5.x ruo ọtụtụ afọ ma nọgide na-enwe nsogbu ndị na-enweghị ike ime, na mgbanwe ikike na AGPLv3 na-egbochi mgbanwe na mwepụta ọhụrụ, ihe ndị a chọrọ na-emetụtakwa ngwa ndị na-eji BerkeleyDB n'ụdị nke. ụlọ ọba akwụkwọ - A na-enye Squid n'okpuru ikike GPLv2, yana AGPL adabaghị na GPLv2. Kama Berkeley DB, ebufere ọrụ ahụ na iji TrivialDB DBMS, nke, n'adịghị ka Berkeley DB, bụ nke kachasị maka ịnweta n'otu oge na nchekwa data. A na-edobe nkwado Berkeley DB ugbu a, mana ndị na-ahụ maka "ext_session_acl" na "ext_time_quota_acl" na-akwado ugbu a iji ụdị nchekwa "libtdb" kama ịbụ "libdb".
  • Nkwado agbakwunyere maka CDN-Loop HTTP nkụnye eji isi mee, akọwapụtara na RFC 8586, nke na-enye gị ohere ịchọpụta loops mgbe ị na-eji netwọk nnyefe ọdịnaya (isi okwu na-enye nchebe megide ọnọdụ mgbe arịrịọ na usoro ntụgharị n'etiti CDN maka ihe ụfọdụ laghachi azụ na CDN mbụ, na-akpụ akaghị agwụ agwụ).
  • Usoro SSL-Bump, nke na-enye gị ohere igbochi ọdịnaya nke nnọkọ HTTPS ezoro ezo, agbakwunyela nkwado maka ịtụgharị arịrịọ HTTPS site na sava proxy ndị ọzọ akọwapụtara na cache_peer, na-eji ọwara oge niile dabere na usoro HTTP CONNECT ( akwadoghị nnyefe site na HTTPS, ebe Squid enweghị ike ibufe TLS n'ime TLS). SSL-Bump na-enye gị ohere ịmepụta njikọ TLS na ihe nkesa ebumpụta ụwa mgbe ị natachara arịrịọ HTTPS mbụ anabatara wee nweta asambodo ya. Mgbe nke a gasịrị, Squid na-eji aha nnabata sitere na ezigbo asambodo enwetara n'aka ihe nkesa ahụ wee mepụta asambodo dummy, nke ọ na-eṅomi ihe nkesa achọrọ mgbe gị na onye ahịa na-emekọrịta ihe, ebe ọ na-aga n'ihu na-eji njikọ TLS emebere na ihe nkesa ebumnuche ịnata data ( nke mere na nnọchi adịghị eduga mmepụta ịdọ aka ná ntị na nchọgharị na ahịa n'akụkụ, mkpa ka ị tinye gị akwụkwọ eji n'ịwa chepụtara echepụta asambodo na mgbọrọgwụ akwụkwọ ụlọ ahịa).
  • Agbakwunyere mark_client_connection na mark_client_pack ntụziaka iji kechie akara Netfilter (CONNMARK) na njikọ TCP ndị ahịa ma ọ bụ ngwugwu onye ọ bụla.

Na-ekpo ọkụ n'ikiri ụkwụ ha, e bipụtara mwepụta nke Squid 5.2 na Squid 4.17, bụ nke edoziri adịghị ike ndị ahụ:

  • CVE-2021-28116 - Mwepu ozi mgbe ị na-ahazi ozi WCCPv2 emebere nke ọma. Ọdịmma ahụ na-enye onye na-awakpo ohere imebi ndepụta nke ndị na-anya ụgbọ ala WCCP ama ama na redirect okporo ụzọ sitere n'aka ndị ahịa ihe nkesa proxy gaa na ndị ọbịa ha. Nsogbu a na-apụta naanị na nhazi yana nkwado WCCPv2 yana mgbe enwere ike imebi adreesị IP nke rawụta.
  • CVE-2021-41611 - Esemokwu dị na nkwenye asambodo TLS na-enye ohere iji asambodo enweghị ntụkwasị obi.

isi: opennet.ru

Tinye a comment