Proxy Server Security Guidelines
This document contains the following sections:
- Overview
- Applies to
- Purpose of the Guideline
- Definition / Clarification
- Guideline Statement
- User Responsibilities and Procedures
- Revision History
Overview
Proxy servers configured to allow CONNECT command can be used as a port forwarder. This can be used to launch attacks, hidden by the proxy server, or to compromise the server itself depending on how the proxy server is configured.
Applies to
Any campus affiliate who runs or intends to run a Proxy Server.
Purpose of the Guideline
The Carnegie Mellon University Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to Proxy Servers.
This guideline was established to ensure that the Carnegie Mellon University community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be reflected on this web page.
Definition/Clarification
Proxy Server - Proxy servers are systems which provide a method for storing Internet objects (web pages, ftp download programs and zip files, etc.) on a machine which is on a given subnet, and thus, closer to the client. By using a proxy server, users enjoy faster access to large files and the original distribution site sees less "heavy traffic", so everyone (potentially) wins.
Guideline Statement
Proxy servers should be configured to either completely disallow the CONNECT command or to only allow CONNECTs to specific ports as needed. Alternately, do not run a proxy server.
User Responsibilities and Procedures
Users should adhere to one of the following:
- Disallow the CONNECT command (see your proxy server documentation for specific instructions).
- Configure to only allow CONNECTs to specific ports as needed (e.g., a proxy server supporting SSL connections can allow connections to ports 443 and 563, with all other ports disabled for the CONNECT command).
- Alternately, do not run a proxy server.
Revision History
Status: | Published | Author | Description |
Published: | 10/28/2005 | Doug Markiewicz | |
Last Reviewed: | 09/13/2023 | Matthew Nicolai | |
Last Updated: | 09/13/2023 | Matthew Nicolai | Fixed broken links and outdated verbiage |