Proxy Server Security Guidelines
This document contains the following sections:
Proxy servers configured to allow CONNECT command can be used as a port forwarder. This can be used to launch attacks, hidden by the proxy server, or to compromise the server itself depending on how the proxy server is configured.
Any campus affiliate who runs or intends to run a Proxy Server.
Purpose of the Guideline
The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to Proxy Servers.
This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
Proxy Server - Proxy servers are systems which provide a method for storing Internet objects (web pages, ftp download programs and zip files, etc.) on a machine which is on a given subnet, and thus, closer to the client. By using a proxy server, users enjoy faster access to large files and the original distribution site sees less "heavy traffic", so everyone (potentially) wins.
Proxy servers should be configured to either completely disallow the CONNECT command or to only allow CONNECTs to specific ports as needed. Alternately, do not run a proxy server.
User Responsibilities and Procedures
Users should adhere to one of the following:
- Disallow the CONNECT command (see your proxy server documentation for specific instructions).
- Configure to only allow CONNECTs to specific ports as needed (e.g., a proxy server supporting SSL connections can allow connections to ports 443 and 563, with all other ports disabled for the CONNECT command).
- Alternately, do not run a proxy server.
Guideline Modified: November 3, 2005
Guideline Modified: June 20, 2004