On 30/07/11 00:30, Andrew Rogers wrote:
>>> Should I always trust these kind of connections and let them go direct
>>> if the connection has authentication against it with a possible
>>> statement of:-
>>>
>>> always_direct allow CONNECT auth
>>
>> CONNECT are absolutely not trustworthy. The one exception we have to make by
>> default is port 443 because HTTPS requests need it to transmit the SSL data.
>> You are free to extend that list to allow known application ports, just be
>> careful.
>
> So would I need to specify a direct allow for CONNECT& SSL_ports then
> something along the line of
_need_ to? no.
>
> always_direct allow CONNECT SSL_ports auth
>
> ?
> Is it then generally better to have SSL traffic using CONNECT to go
> direct and not sent to a cache_peer?
>
> I had one question throwen at me about if we did let SSL traffic go
> direct, wound't people be able to log into Porn sites then as this
> would have bypassed DG for contect filtering? Would this be true, or
> would this not be the case as they would usually have to connect via a
> http page first.
Only if your porn control is based solely in the domain name. CONNECT
never even see the paths so regex against those will always fail.
If DG filters were all domain-based and could successfully filter
CONNECT I would question why you bother with DG and the fancy config
instead of just using squid dstdomain ACLs.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.10Received on Fri Jul 29 2011 - 12:58:25 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 29 2011 - 12:00:03 MDT