Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutulutsidwa kokhazikika kwa seva ya proxy ya Squid 5

Kutulutsidwa kokhazikika kwa seva ya proxy ya Squid 5

Pambuyo pa zaka zitatu za chitukuko, kumasulidwa kokhazikika kwa seva ya proxy ya Squid 5.1 yaperekedwa, yokonzeka kugwiritsidwa ntchito pamakina opangira (kutulutsidwa kwa 5.0.x kunali ndi mawonekedwe a beta). Nthambi ya 5.x itapatsidwa udindo wokhazikika, kuyambira pano zongopeka zokha ndi zovuta zokhazikika zidzapangidwa mmenemo, ndipo kukhathamiritsa kwazing'ono kumaloledwanso. Kupanga zinthu zatsopano kudzachitika munthambi yatsopano yoyesera 6.0. Ogwiritsa ntchito nthambi yokhazikika ya 4.x akulangizidwa kukonzekera kusamukira ku nthambi ya 5.x.

Zatsopano zazikulu mu Squid 5:

  • Kukhazikitsidwa kwa ICAP (Internet Content Adaptation Protocol), yomwe imagwiritsidwa ntchito pophatikizana ndi machitidwe otsimikizira zomwe zili kunja, kwawonjezera chithandizo cha njira yolumikizira deta (trailer), yomwe imakulolani kuti muphatikize mitu yowonjezereka ndi metadata ku yankho, loyikidwa pambuyo pa uthenga. thupi (mwachitsanzo, mutha kutumiza cheke ndi tsatanetsatane wamavuto omwe azindikirika).
  • Mukatumiza zopempha, algorithm ya "Happy Eyeballs" imagwiritsidwa ntchito, yomwe nthawi yomweyo imagwiritsa ntchito adilesi ya IP yolandilidwa, osadikirira kuti ma adilesi onse omwe angakhalepo a IPv4 ndi IPv6 athetsedwe. M'malo mogwiritsa ntchito "dns_v4_first" kuti muwone ngati adilesi ya IPv4 kapena IPv6 ikugwiritsidwa ntchito, dongosolo la mayankho a DNS tsopano likuganiziridwa: ngati yankho la DNS AAAA lifika koyamba podikirira adilesi ya IP kuti ithetse, ndiye Kenako IPv6 adilesi idzagwiritsidwa ntchito. Chifukwa chake, kukhazikitsa adilesi yomwe mumakonda tsopano kwachitika pa firewall, DNS kapena mulingo woyambira ndi "--disable-ipv6" njira. Kusintha kumeneku kumatithandiza kufulumizitsa nthawi yokhazikitsa ma TCP ndi kuchepetsa zotsatira za kuchedwa panthawi ya DNS kuthetsa.
  • Kuti mugwiritse ntchito mu "external_acl" malangizo, chogwirizira cha "ext_kerberos_sid_group_acl" chawonjezedwa kuti chitsimikizidwe ndi gulu likuyang'ana Active Directory pogwiritsa ntchito Kerberos. Kuti mufunse dzina la gulu, gwiritsani ntchito chida cha ldapsearch choperekedwa ndi phukusi la OpenLDAP.
  • Thandizo la mtundu wa Berkeley DB latsitsidwa chifukwa cha zovuta zamalayisensi. Nthambi ya Berkeley DB 5.x sinasamalidwe kwa zaka zingapo ndipo imakhalabe pachiwopsezo chosasinthika, ndipo kusintha kwatsopano kumalepheretsedwa ndi kusintha kwa laisensi kupita ku AGPLv3, zomwe zimafunikiranso ku mapulogalamu omwe amagwiritsa ntchito BerkeleyDB mu mawonekedwe a laibulale - Squid imaperekedwa ndi layisensi ya GPLv2, ndipo AGPL siyogwirizana ndi GPLv2. M'malo mwa Berkeley DB, polojekitiyi idasamutsidwa kuti igwiritsidwe ntchito ndi TrivialDB DBMS, yomwe, mosiyana ndi Berkeley DB, imakonzedwa kuti ipeze mwayi wofanana ndi database. Thandizo la Berkeley DB likusungidwabe pakadali pano, koma "ext_session_acl" ndi "ext_time_quota_acl" ogwira ntchito tsopano akulimbikitsa kugwiritsa ntchito mtundu wa "libtdb" yosungirako m'malo mwa "libdb".
  • Thandizo lowonjezera pamutu wa CDN-Loop HTTP, wofotokozedwa mu RFC 8586, womwe umakupatsani mwayi wozindikira malupu mukamagwiritsa ntchito maukonde operekera zinthu (mutuwu umapereka chitetezo kuzochitika ngati pempho lomwe likuwongolera pakati pa ma CDN pazifukwa zina likubwerera ku CDN yoyambirira, kupanga chipika chosatha).
  • Njira ya SSL-Bump, yomwe imakulolani kuti mulowetse zomwe zili m'magawo obisika a HTTPS, yawonjezera chithandizo cholozera zopempha za spoofed (re-encrypted) HTTPS kupyolera mu ma seva ena ovomerezeka omwe atchulidwa mu cache_peer, pogwiritsa ntchito njira yokhazikika yotengera njira ya HTTP CONNECT ( kufalitsa kudzera pa HTTPS sikutheka, popeza Squid sangathe kunyamula TLS mkati mwa TLS). SSL-Bump imakulolani kuti mukhazikitse kulumikizana kwa TLS ndi seva yomwe mukufuna mutalandira pempho loyamba lolandidwa la HTTPS ndikupeza satifiketi yake. Pambuyo pake, Squid imagwiritsa ntchito dzina lachidziwitso kuchokera ku chiphaso chenichenicho chomwe chinalandira kuchokera ku seva ndikupanga chiphaso cha dummy, chomwe chimatsanzira seva yofunsidwa pamene ikugwirizana ndi kasitomala, pamene ikupitiriza kugwiritsa ntchito mgwirizano wa TLS womwe unakhazikitsidwa ndi seva yomwe ikufuna kulandira deta ( kotero kuti m'malo satsogolera ku linanena bungwe machenjezo mu asakatuli kumbali kasitomala, muyenera kuwonjezera chiphaso chanu ntchito kupanga ziphaso zopeka ku sitolo muzu satifiketi).
  • Anawonjezera mark_client_connection ndi malangizo a mark_client_pack kuti amange ma Netfilter marks (CONNMARK) kumalumikizidwe a kasitomala a TCP kapena mapaketi amodzi.

Zotentha pazidendene zawo, zotulutsidwa za Squid 5.2 ndi Squid 4.17 zidasindikizidwa, momwe zofookazo zidakhazikitsidwa:

  • CVE-2021-28116 - Kutayikira kwa chidziwitso mukakonza mauthenga opangidwa mwapadera a WCCPv2. Chiwopsezochi chimalola woukira kuwononga mndandanda wa ma routers odziwika a WCCP ndikuwongoleranso kuchuluka kwa magalimoto kuchokera kwamakasitomala a proxy seva kupita kwa omwe adawalandira. Vutoli limangowonekera pamasinthidwe omwe ali ndi chithandizo cha WCCPv2 komanso ngati kuli kotheka kusokoneza adilesi ya IP ya rauta.
  • CVE-2021-41611 - Nkhani pakutsimikizira satifiketi ya TLS imalola mwayi wogwiritsa ntchito satifiketi zosadalirika.

Source: opennet.ru

Kuwonjezera ndemanga