On sön, 2007-11-11 at 20:04 +0900, Adrian Chadd wrote:
> It shouldn't be difficult to patch Squid-2.6 to use the original destination IP
> if required (if there isn't one already!) but I'm not sure how to work around
> the cache poisioning. Henrik, any ideas?
Steven did something in that direction in 2.HEAD, making it use the
client provided IP if the DNS lookup fails.
Not merged to 2.6 as it's not yet fully reviewed, and a new feature..
have a feeling it should be replaced with a new http_port option.
I guess that can be tweaked to fall back on the client provided IP if
that IP is not in the set of IPs returned by DNS, but cache would still
be a bit of an issue.
Another path would be to add another http_port flag making intercepted
requests on that http_port always use the original destination IP and
include that in the cache key. This smells more secure, but will not be
very good for the cache..
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST