5 Replies Latest reply: Apr 10, 2014 3:17 AM by WHS ict
Ed Palma Level 2 (180 points)

I've had Caching Server running on Mountain Lion and it's been very helpful as internet is very expensive here in Pemba, Mozambique and we are limited to 1Mb/s which supports over 160 devices, many of which are OS X or iOS. 

 

Caching server will become even more helpful in 10.9 when it support iOS apps as well.

 

But it seems trivial to hijack the caching service from it's designated server.  If someone flips the Caching service switch on any OS X server on the network– or if they have OS X server running on a laptop, then they could re-register as the local caching server, right?

 

Is there any way to prevent another server from hijacking the caching service?

 

Is there an easy way to tell what local IP is being passed to clients by Apple?

 

Is there a way to alert an admin when the caching service local IP is changed?

 

Help!

  • MrHoffman Level 6 (14,777 points)

    Haven't tried this, but try blocking address to <https://lcdn-registration.apple.com/lcdn/register> (either the URL, or the server) from all but your authorized caching server at your firewall; basically, blacklist that URL for most users.

  • Simon Slavin Level 4 (1,400 points)

    There is no 'registering as the local caching server'.

     

    In order to make a client computer read from your caching server instead of Apple's server you change a setting inside that computer to point to your server.  So you need physical contact with the client computer.  Other people can set up their own caching servers if they want but client computers will never discover them.

     

    So you need not be worried about this.

  • WHS ict Level 1 (0 points)

    sorry simon, that's not how i read it.

    if they are on the same network, with the same external IP, then any caching server will register with apple and become one of a pool of local caching servers. there is no client configuration required. the client is informed of the local cache IP addresses by apple.

    i'm interested in the security aspect of it all. does the client run md5 checksums on the updates downloaded from the cache? what is the mechanism?

  • Simon Slavin Level 4 (1,400 points)

    Sorry, I was confusing it with Software Update Server.

     

    However, I have a solution to your question.  Set up ListenRanges and ListenRangesOnly as detailed in these ocuments:

     

    http://support.apple.com/kb/HT5590#ListenRangesExplanation

     

    https://help.apple.com/advancedserveradmin/mac/3.0/#apd5E1AD52E-012B-4A41-8F21-8 E9EDA56583A

     

    If you do that, then your caching server will respond only to clients in the IP ranges you specify and will ignore requests from any other computers.

  • WHS ict Level 1 (0 points)

    you've still missed the point. that config applies to the server. the question is about the clients, using a caching server that is not under your control. all your answer does is stop the server serving clients you do not control, a vastly different scenario.

     

    we need more info from apple to be able to answer the rogue cachine server question.