On 01/07/2011 06:04 PM, Amos Jeffries wrote:
> Note that a great many hostnames are "localhost" or
> "localhost.localdomain" or "localhost.local" due to certain distros
> hard-coding "localhost" into their packages.
>
> We also use "localhost" as a backup when the gethostname() call fails to
> provide anything with rDNS. (IMO that hard rDNS requirement is a bit naive)
Good point!
On 01/11/2011 01:16 AM, Henrik Nordström wrote:
> A proposal is to always return an error if Via indicates
> that we have already processed this request twice
> (on third time the same request is received). This will break actual
> loops, while keeping sibling loops silent.
Sounds like a good approach to me. I would even take it a few steps
further to address Amos concern using the same technique. How about this
plan:
If we have detected a forwarding loop and our name appeared N times,
then respond with an error provided at least one of the conditions below
is true:
1) N > 2 and our name is not localhost or similar.
2) N > 10.
No checks for the port mode or transaction flags (intercepted,
accelerated, etc.).
In addition to the above, do a startup check for the name and warn the
user if our name is localhost or similar.
Would that address all the concerns voiced so far?
Thank you,
Alex.
P.S. I would propose to just use "N > 10" always, but I am worried that
allowing 10 loop iterations by default would make it easier to "amplify"
some attacks on/using Squid.
Received on Wed Jan 12 2011 - 00:54:01 MST
This archive was generated by hypermail 2.2.0 : Wed Jan 12 2011 - 12:00:04 MST