ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kokhazikika kwa seva ya proxy ya Squid 5

Kutulutsidwa kokhazikika kwa seva ya proxy ya Squid 5

Pambuyo pa zaka zitatu za chitukuko, kumasulidwa kokhazikika kwa seva ya proxy ya Squid 5.1 yaperekedwa, yokonzeka kugwiritsidwa ntchito pamakina opangira (kutulutsidwa kwa 5.0.x kunali ndi mawonekedwe a beta). Nthambi ya 5.x itapatsidwa udindo wokhazikika, kuyambira pano zongopeka zokha ndi zovuta zokhazikika zidzapangidwa mmenemo, ndipo kukhathamiritsa kwazing'ono kumaloledwanso. Kupanga zinthu zatsopano kudzachitika munthambi yatsopano yoyesera 6.0. Ogwiritsa ntchito nthambi yokhazikika ya 4.x akulangizidwa kukonzekera kusamukira ku nthambi ya 5.x.

Zatsopano zazikulu mu Squid 5:

  • Kukhazikitsidwa kwa ICAP (Internet Content Adaptation Protocol), yomwe imagwiritsidwa ntchito pophatikizana ndi machitidwe otsimikizira zomwe zili kunja, kwawonjezera chithandizo cha njira yolumikizira deta (trailer), yomwe imakulolani kuti muphatikize mitu yowonjezereka ndi metadata ku yankho, loyikidwa pambuyo pa uthenga. thupi (mwachitsanzo, mutha kutumiza cheke ndi tsatanetsatane wamavuto omwe azindikirika).
  • Potumiza mapempho, njira ya "Happy Eyeballs" imagwiritsidwa ntchito, yomwe nthawi yomweyo imagwiritsa ntchito adilesi ya IP yolandiridwa popanda kudikira kuti ma adilesi onse a IPv4 ndi IPv6 omwe alipo athe. M'malo mogwiritsa ntchito "dns_v4_first" kuti mudziwe dongosolo lomwe mungagwiritse ntchito banja la adilesi ya IPv4 kapena IPv6, dongosolo la mayankho a DNS tsopano likuganiziridwa: ngati, podikira yankho, IP ma adilesi Ngati yankho loyamba la DNS AAAA lalandiridwa, adilesi ya IPv6 yomwe yaperekedwa idzagwiritsidwa ntchito. Chifukwa chake, kukonza banja la adilesi lomwe mukufuna tsopano kumachitika pa firewall, DNS, kapena mulingo woyambira ndi njira ya "--disable-ipv6". Kusintha komwe kukuperekedwaku kumawongolera nthawi yokhazikitsa kulumikizana kwa TCP ndikuchepetsa momwe DNS resolution latency imakhudzira magwiridwe antchito.
  • Kuti mugwiritse ntchito mu "external_acl" malangizo, chogwirizira cha "ext_kerberos_sid_group_acl" chawonjezedwa kuti chitsimikizidwe ndi gulu likuyang'ana Active Directory pogwiritsa ntchito Kerberos. Kuti mufunse dzina la gulu, gwiritsani ntchito chida cha ldapsearch choperekedwa ndi phukusi la OpenLDAP.
  • Thandizo la mtundu wa Berkeley DB latsitsidwa chifukwa cha zovuta zamalayisensi. Nthambi ya Berkeley DB 5.x sinasamalidwe kwa zaka zingapo ndipo imakhalabe pachiwopsezo chosasinthika, ndipo kusintha kwatsopano kumalepheretsedwa ndi kusintha kwa laisensi kupita ku AGPLv3, zomwe zimafunikiranso ku mapulogalamu omwe amagwiritsa ntchito BerkeleyDB mu mawonekedwe a laibulale - Squid imaperekedwa ndi layisensi ya GPLv2, ndipo AGPL siyogwirizana ndi GPLv2. M'malo mwa Berkeley DB, polojekitiyi idasamutsidwa kuti igwiritsidwe ntchito ndi TrivialDB DBMS, yomwe, mosiyana ndi Berkeley DB, imakonzedwa kuti ipeze mwayi wofanana ndi database. Thandizo la Berkeley DB likusungidwabe pakadali pano, koma "ext_session_acl" ndi "ext_time_quota_acl" ogwira ntchito tsopano akulimbikitsa kugwiritsa ntchito mtundu wa "libtdb" yosungirako m'malo mwa "libdb".
  • Thandizo lowonjezera pamutu wa CDN-Loop HTTP, wofotokozedwa mu RFC 8586, womwe umakupatsani mwayi wozindikira malupu mukamagwiritsa ntchito maukonde operekera zinthu (mutuwu umapereka chitetezo kuzochitika ngati pempho lomwe likuwongolera pakati pa ma CDN pazifukwa zina likubwerera ku CDN yoyambirira, kupanga chipika chosatha).
  • Njira ya SSL-Bump, yomwe imakulolani kuti mulowetse zomwe zili m'magawo obisika a HTTPS, yawonjezera chithandizo cholozera zopempha za spoofed (re-encrypted) HTTPS kupyolera mu ma seva ena ovomerezeka omwe atchulidwa mu cache_peer, pogwiritsa ntchito njira yokhazikika yotengera njira ya HTTP CONNECT ( kufalitsa kudzera pa HTTPS sikutheka, popeza Squid sangathe kunyamula TLS mkati mwa TLS). SSL-Bump imakulolani kuti mukhazikitse kulumikizana kwa TLS ndi seva yomwe mukufuna mutalandira pempho loyamba lolandidwa la HTTPS ndikupeza satifiketi yake. Pambuyo pake, Squid imagwiritsa ntchito dzina lachidziwitso kuchokera ku chiphaso chenichenicho chomwe chinalandira kuchokera ku seva ndikupanga chiphaso cha dummy, chomwe chimatsanzira seva yofunsidwa pamene ikugwirizana ndi kasitomala, pamene ikupitiriza kugwiritsa ntchito mgwirizano wa TLS womwe unakhazikitsidwa ndi seva yomwe ikufuna kulandira deta ( kotero kuti m'malo satsogolera ku linanena bungwe machenjezo mu asakatuli kumbali kasitomala, muyenera kuwonjezera chiphaso chanu ntchito kupanga ziphaso zopeka ku sitolo muzu satifiketi).
  • Anawonjezera mark_client_connection ndi malangizo a mark_client_pack kuti amange ma Netfilter marks (CONNMARK) kumalumikizidwe a kasitomala a TCP kapena mapaketi amodzi.

Zotentha pazidendene zawo, zotulutsidwa za Squid 5.2 ndi Squid 4.17 zidasindikizidwa, momwe zofookazo zidakhazikitsidwa:

  • CVE-2021-28116 - Kutayikira kwa chidziwitso mukakonza mauthenga opangidwa mwapadera a WCCPv2. Chiwopsezochi chimalola woukira kuwononga mndandanda wa ma routers odziwika a WCCP ndikuwongoleranso kuchuluka kwa magalimoto kuchokera kwamakasitomala a proxy seva kupita kwa omwe adawalandira. Vutoli limangowonekera pamasinthidwe omwe ali ndi chithandizo cha WCCPv2 komanso ngati kuli kotheka kusokoneza adilesi ya IP ya rauta.
  • CVE-2021-41611 - Cholakwika Chotsimikizira Zikalata za TLS, zomwe zimalola kugwiritsa ntchito satifiketi zosadalirika.

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster