[squid-users] R: [squid-users] Re: R: [squid-users] Example of squid accelerator from Riccardo Castellani on 2009-08-21 (squid-users)

From: Riccardo Castellani <r.castellani_at_usl6.toscana.it>
Date: Fri, 21 Aug 2009 15:05:46 +0200

> So users access http://1.2.3.4/ by IP? Not by some more friendly
>hostname?

Yes, users access by IP address.
But I understand best soluction is use dstdomain.

>Yes. Or defaultside=1.2.3.4, or both

vhost makes that Squid use what is in the host header when building the
requested URL while defaultsite specifies explicitly what site 'name:port'
to use; also used as fallback if there is no Host header.
But who has priority in request building ? information in host header or in
default-site ?

> defaultsite is not used because...
>
> URL is
> http://1.2.3.4/LicroPS.sav.1/mkLicro.do?codCenter=22101
>
>The browser will send that as
>
>GET /LicroPS.sav.1/mkLicro.do?codCenter=22101 HTTP/1.1
>Host: 1.2.3.4
>[more headers]

If specify: http_port 1.2.3.4:80 accel vhost defaultside=1.2.3.4
browser will send this one ?

GET 1.2.3.4/LicroPS.sav.1/mkLicro.do?codCenter=22101 HTTP/1.1
Host: 1.2.3.4
...

-----Messaggio originale-----
Da: Henrik Nordstrom [mailto:henrik_at_henriknordstrom.net]
Inviato: Wednesday, August 19, 2009 12:24 PM
A: Riccardo Castellani
Cc: squid-users_at_squid-cache.org
Oggetto: [squid-users] Re: R: [squid-users] Example of squid accelerator

ons 2009-08-19 klockan 08:53 +0200 skrev Riccardo Castellani:

> Internet users reach my company site on IP address 1.2.3.244 where they
find
> a certain section which contents 4 icons.

So users access http://1.2.3.4/ by IP? Not by some more friendly
hostname?

> These 4 icons (corresponding to 4 towns) links respectively to
>
> http://1.2.3.4/LicroPS.sav.1/mkLicro.do?codCenter=22101
> http://1.2.3.4/LicroPS.sav.1/mkLicro.do?codCenter=22102
> http://1.2.3.4/LicroPS.sav.1/mkLicro.do?codCenter=22103
> http://1.2.3.4/LicroPS.sav.1/mkLicro.do?codCenter=22104
>
> User can decide what link is interesting, according to town to whose He
> belongs, so there is no default page.

These http_port parameters is about what Squid should pick up as
requested hostname. Paths or objects on the server is irrelevant.

> Can I describe in this way ?
> http_port 1.2.3.4:80 accel vhost

Yes. Or defaultside=1.2.3.4, or both.

My recommendation is to always use vhost, and add defaultsite only if
one wants to support obsolete HTTP/1.0 clients not sending Host headers.
Life gets less complicated in the long run that way.

> >Don't use dst there, use dstdomain instead matching the allowed
> >sitenames/hostnames
>
> What's the reason ? Pheraps because with dst directive Squid looks up dns
> for IPAddress from the domain-name, which is in request header.
> I could having, for specific reasons, some sites which are not registred
in
> dns even if this time is not my case.

a) The DNS lookup isn't needed.

b) As you describe above.

c) May allow things you did not intend as the attacker may well create
his own DNS records with ip of 1.2.3.4.

Regards
Henrik
Received on Fri Aug 21 2009 - 13:05:51 MDT

This archive was generated by hypermail 2.2.0 : Fri Aug 21 2009 - 12:00:03 MDT