Re: [squid-users] Transparent squid ignores client-side /etc/hosts

From: Adrian Chadd <adrian@dont-contact.us>
Date: Sun, 11 Nov 2007 20:04:44 +0900

On Sun, Nov 11, 2007, Alex Vorona wrote:
> Hello
>
> I got transparent squid 2.6 on Linux box via iptables REDIRECT. All
> works fine, but squid actually ignores original DST IP in hijacked
> connection and uses Host header to resolve to IP and then connects to
> that IP.

I believe thats a security feature. Allowing the client to control
the Host: name to destination IP mapping makes for some pretty horrible
cache poisoning possibilities.

It shouldn't be difficult to patch Squid-2.6 to use the original destination IP
if required (if there isn't one already!) but I'm not sure how to work around
the cache poisioning. Henrik, any ideas?

Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Received on Sun Nov 11 2007 - 04:01:17 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST