On 10/08/2012 10:54 p.m., Eliezer Croitoru wrote:
> On 8/9/2012 4:47 AM, Amos Jeffries wrote:
>> On 09.08.2012 12:32, Eliezer Croitoru wrote:
>>> On 8/9/2012 2:16 AM, Amos Jeffries wrote:
>>>>
>>>> Releases 3.2.0.14->3.2.0.18 have a standing block preventing requests
>>>> with conflicting destination IP and destination domain name being
>>>> passed
>>>> to peers.
>>>>
>>>> Release 3.2.0.19 loosens that block to allow it, but only if the
>>>> clients
>>>> original destination IP (ORIGINAL_DST) is non-contactable by the
>>>> proxy.
>>>>
>>>> BUT, ... checking your config file there is a bigger problem, and a
>>>> relatively large amount of useless ACL checks ...
>>> and let say i want to loosen it a bit more?
>>
>> How much more?
>> to relay known dangerous traffic to peers as if it were safe?
>> or just to obey never_direct?
> flag it as safe... because it is a local one that is safe.
> i am talking only on http traffic and not https.
Please try 3.2.0.19 with this extra patch:
http://ww.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch
It removes the preference bias for ORIGINAL_DST over peers.
Amos
Received on Fri Aug 10 2012 - 11:32:27 MDT
This archive was generated by hypermail 2.2.0 : Sat Aug 11 2012 - 12:00:02 MDT