squid help - increasing web security
Mail Lists
lists at sapience.com
Fri Oct 23 00:05:21 UTC 2009
On 10/22/2009 10:29 AM, Tim wrote:
> On Wed, 2009-10-21 at 22:21 -0400, Mail Lists wrote:
>> I believe i can avoid a large number of scans, if I can prevent
>> http://[ip] from ever reaching the webserver.
>
> How many domains do you host? If it's not too many, take the opposite
> approach: Have an allow list of your domains, and reject everything
> else.
>
I guess i wasn't clear - it doesnt work the way you expect.
If you put in
acl dstdomain my1.com my2.com
Those domains are then allowed - but if someone hits the ip - squid
cleverly reverses the IP to a domain - if the reversed domain is allowed
by the rule then it is allowed.The same thing for dstdom_regex. Hence
the original question.
More information about the fedora-list
mailing list