Thus spake Joe Cooper:
> No. You don't tweak DNS to point everything at the Squid box for
> transparency, and Squid would be impacted by this. The workaround for
> this specific problem is to allow your local DNS to service requests for
> thos alternative TLDs.
>
> This may not solve all issues with Squid (or any proxy) in transparent
> proxy modes. I haven't poked at it enough yet to know.
I think it would be very good for Squid to always connect to IP
specified by the client. Obvious cache poisoning issues can be avoided
by using the following technique:
<QUOTE src="http://slashdot.org/comments.pl?sid=29892&cid=3213929">
A correct transparent proxy implementation should always connect
to the very same IP address the client tried to connect to without regard
to the "Host" header (which must also be passed along). A DNS lookup
can still be done to optimize the cache. If the destination IP address
is in the list of A records from the DNS query, then it can simply be
matched to the cache by name alone. However, if the IP address
does not match any that DNS gets, then those pages can still be cached,
but they must be cached under the tuple of both the destination IP
address and the "Host" header name together (as this content can be
different than any other for the same host name or the same IP address).
</QUOTE>
>
> --
> Joe Cooper <joe@swelltech.com>
> http://www.swelltech.com
> Web Caching Appliances and Support
Received on Sun Mar 24 2002 - 13:29:22 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:03 MST