Re: [squid-users] squid 3.2 intercept and upstream proxy not working

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Fri, 10 Aug 2012 23:23:10 +0300

On 8/10/2012 2:32 PM, Amos Jeffries wrote:
> On 10/08/2012 10:54 p.m., Eliezer Croitoru wrote:
>> On 8/9/2012 4:47 AM, Amos Jeffries wrote:
>>> On 09.08.2012 12:32, Eliezer Croitoru wrote:
>>>> On 8/9/2012 2:16 AM, Amos Jeffries wrote:
>>>>>
>>>>> Releases 3.2.0.14->3.2.0.18 have a standing block preventing requests
>>>>> with conflicting destination IP and destination domain name being
>>>>> passed
>>>>> to peers.
>>>>>
>>>>> Release 3.2.0.19 loosens that block to allow it, but only if the
>>>>> clients
>>>>> original destination IP (ORIGINAL_DST) is non-contactable by the
>>>>> proxy.
>>>>>
>>>>> BUT, ... checking your config file there is a bigger problem, and a
>>>>> relatively large amount of useless ACL checks ...
>>>> and let say i want to loosen it a bit more?
>>>
>>> How much more?
>>> to relay known dangerous traffic to peers as if it were safe?
>>> or just to obey never_direct?
>> flag it as safe... because it is a local one that is safe.
>> i am talking only on http traffic and not https.
>
> Please try 3.2.0.19 with this extra patch:
> http://ww.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch
the link should be:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch

and it works like a charm. :)

now I noticed that the url_rewrite_concurrency was changed and it's nice.

maybe an options can be added to the build of 3.2 to use some safty
modes on cache_peer? or maybe a flag that will mark cache_peer as safe?

Thanks,
Eliezer
>
> It removes the preference bias for ORIGINAL_DST over peers.
>
> Amos

-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
Received on Fri Aug 10 2012 - 20:23:28 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 11 2012 - 12:00:03 MDT