Re: [squid-users] Issue with multiple Squids / TPROXY / WCCP and DNS load balancing

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Mon, 17 Aug 2009 23:43:41 +0200

mån 2009-08-17 klockan 10:42 +0200 skrev Matus UHLAR - fantomas:

> I say that again: by using such feature any client could poison your cache
> by connecting to IP address of a malicious/broken server, requesting _any_
> URI and your cache would remember the content provided by the server as if
> it rally was the URI.

There is ways to dissolve the poisonous effect. Requires a little
effort, but doable.

> > This causes the Cisco router to redirect the response to the other
> > Squid server which just drops it.
>
> I think that is a bad configuration on DNS or your network.

No. It's a natural consequence of TPROXY+WCCPv2 balancing based on
requested IP, with separate DNS lookups done by the client & Squid. You
can limit some of it by DNS server hackery to implement IP pinning in
the DNS server but not eleminate it.

> Or maybe you should properly set up hosts file on machine squid is running
> so it would not connect to the another squid.

The problem is not the Squids or their hosts table, the problem is that
Suqid MAY select another destination IP than the client requested, which
causes a mismatch in return traffic redirection when using TPROXY.

TPROXY with multiple proxies balanced on destination IP only works if
the proxy always selects the exact same destination IP as the client
originally did.

The workaround is simple, but not without drawbacks.. don't balance on
the destination IP, balance on the client IP instead.

The solution is to extend Squid to connect to the requested IP on
intercepted requests, but requires some extra validations to avoid cache
poisoning.

Regards
Henrik
Received on Mon Aug 17 2009 - 21:44:06 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 19 2009 - 12:00:04 MDT