Ubuntu
squid-deb-proxy package

Bug #952364
Comment #2

Comment 2 for bug 952364

Revision history for this message

Michael Vogt (mvo) wrote on 2012-04-02:

Making the access unrestricted should be easy with the following lines:

=== modified file 'squid-deb-proxy.conf'
--- squid-deb-proxy.conf 2012-04-02 20:01:03 +0000
+++ squid-deb-proxy.conf 2012-04-02 20:23:31 +0000
@@ -79,7 +79,7 @@
# allow access only to official ubuntu mirrors
# uncomment the third and fouth line to permit any unlisted domain
http_access deny !to_ubuntu_mirrors
-#http_access allow !to_ubuntu_mirrors
+http_access allow !to_ubuntu_mirrors

# don't cache domains not listed in the mirrors file
# uncomment the third and fourth line to cache any unlisted domains

from irc:
<mvo> jcastro: so the only reason unrestricted access is not enabled by default currently is to allow this to be dropped into a already restricted network without opening up generic http access via this squid-deb-proxy, I guess it could be argued that this is something that a admin should restirct himself/herself and that convinence is better. or we add another debconf question, but that is not very discoverable either :/
<jcastro> I think not having an unrestricted proxy is reasonable; ideally the proxy saying "fine, go download from this random repository, I will neither help you nor hinder you" sounds like a good middle ground to me
<rbasak> jcastro: the security issue isn't whether it caches your deb or not (pretty minor, just a DoS of the cache), but whether you can get the deb or not (pretty major - could subvert an existing security policy controlling general access). I favour a debconf option.
<mvo> jcastro: right, my thinking (but bear in mind that I'm not a sysadmin :) was that the proxy host has usually different network restrictions than the regular clients, so opening up the proxy sounds potentially dangerous to me
<jcastro> mvo: we should just ask elmo what to do. :) Or perhaps grab a -security guy at UDS or something, whatever works for me.
<mvo> jcastro: yeah, someone more experienced than me on this and I will happly implement whatever they suggest, for now I'm totally fine with a debconf prompt
jcastro: note that I want this to be as simple as possible really

Making the access unrestricted should be easy with the following lines:

=== modified file 'squid-deb-proxy.conf'
--- squid-deb-proxy.conf	2012-04-02 20:01:03 +0000
+++ squid-deb-proxy.conf	2012-04-02 20:23:31 +0000
@@ -79,7 +79,7 @@
 # allow access only to official ubuntu mirrors
 # uncomment the third and fouth line to permit any unlisted domain
 http_access deny !to_ubuntu_mirrors
-#http_access allow !to_ubuntu_mirrors
+http_access allow !to_ubuntu_mirrors
 
 # don't cache domains not listed in the mirrors file
 # uncomment the third and fourth line to cache any unlisted domains

from irc:
<mvo> jcastro: so the only reason unrestricted access is not enabled by default currently is to allow this to be dropped into a already restricted network without opening up generic http access via this squid-deb-proxy, I guess it could be argued that this is something that a admin should restirct himself/herself and that convinence is better. or we add another debconf question, but that is not very discoverable either :/
<jcastro> I think not having an unrestricted proxy is reasonable; ideally the proxy saying "fine, go download from this random repository, I will neither help you nor hinder you" sounds like a good middle ground to me
<rbasak> jcastro: the security issue isn't whether it caches your deb or not (pretty minor, just a DoS of the cache), but whether you can get the deb or not (pretty major - could subvert an existing security policy controlling general access). I favour a debconf option.
<mvo> jcastro: right, my thinking (but bear in mind that I'm not a sysadmin :) was that the proxy host has usually different network restrictions than the regular clients, so opening up the proxy sounds potentially dangerous to me
<jcastro> mvo: we should just ask elmo what to do. :) Or perhaps grab a -security guy at UDS or something, whatever works for me.
<mvo> jcastro: yeah, someone more experienced than me on this and I will happly implement whatever they suggest, for now I'm totally fine with a debconf prompt 
 jcastro: note that I want this to be as simple as possible really

Ubuntusquid-deb-proxy package

Comment 2 for bug 952364

Ubuntu
squid-deb-proxy package