Re: [PATCH] no_append_domain_localhost.patch

I only see the relevance in general Squid if the list of append_domain
exclusions is configurable. Adding code which hardcodes localhost does
not make sense because

a) It does not solve the general problem of append_domain, which is that
it makes any valid "top level" host names unreachable.

b) Generally, localhost is not meant to be proxied to start with and
should be in mostly any browsers list of domains excluded from proxying.

c) Allowing the proxy to proxy requests to localhost is in many cases a
security risk as indicated earlier.

As far as I am concerned, 'b' is true even in the "personal proxy" case.
Also, in such case, adding a localhost.your.domain to /etc/hosts or your
personal DNS zone is sufficient as workaround if you insist on proxy
"localhost" requests AND use append_domain.

Regards
Henrik

Robert Collins wrote:
>
> IMO this is worth having in squid, as a reasonable workaround to the
> browser redirect approach (and where would localhost redirect to :} )
>
> Rob
> ===
> ----- Original Message -----
> From: "Miquel van Smoorenburg" <miquels@cistron.nl>
> To: "Henrik Nordstrom" <hno@marasystems.com>
> Cc: <squid-dev@squid-cache.org>
> Sent: Thursday, December 13, 2001 10:34 PM
> Subject: Re: [PATCH] no_append_domain_localhost.patch
>
> > According to Henrik Nordstrom:
> > > Miquel van Smoorenburg wrote:
> > > > Ignore append_domain setting for the string "localhost".
> > > Why?
> >
> > So you can browse http://localhost/ through a browser.
> >
> > Strange as it may seem, many people run squid on their personal
> > workstation because it's caching is much more efficient than the
> > mozilla/netscape builtin cache, and memory is cheap these days.
> > I do - it really makes a difference behind a 64kbit ISDN line.
> >
> > And if you have append_domain set http://localhost/
> > doesn't work anymore.
> >
> > > Anyway, my general opinion is that append_domain should be
> completely
> > > ripped out, replaced by a proper DNS search algorithm returning a
> > > browser redirect when a FQDN is found for the requested name.
> >
> > I agree, it's just that this has been in the Debian squid package
> > for some time since somebody had a real-life situation in which
> > this was a problem.
> >
> > If you think it doesn't belong in squid I'll just keep it
> > as a debian-specific patch until the above gets implemented in
> > squid 2.6 or so ;)
> >
> > Mike.
> > --
> > I used to drive a Heisenberg mobile but every time I looked at the
> > speedometer - I got lost!
> >
Received on Sun Dec 16 2001 - 14:54:50 MST