Re: [squid-users] deny_info TCP_RESET all for hiding squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 07 Aug 2013 01:26:54 +1200

On 6/08/2013 12:57 a.m., Alfredo Rezinovsky wrote:
> I need a squid in tproxy mode to work in stealth mode

Please outline the requirements of your stealth mode and we might be
able to offer suggestions.

Hint: You *will* come down to the choice of whether to advertise the
proxy existence in HTTP protocol things or break clients connectivity.

Hint #2: no matter what choice you select from the above the proxy
becomes visible. Even by its action of breaking the connectivity it
reveals itself. ... There is *no* "stealth mode".

>
> I tried
> deny_info TCP_RESET all
>

Well. That tells me you will choose to break clients connectivity.

deny_info outlines the response action Squid us to deliver to the client
if an *access control* has explicitly resulted in "deny all".

It has no effect on:
* default access permission policies (ie denial due to an access control
setting being completely absent from squid.conf)
* HTTP protocol parsing or processing error responses (including
timeouts). These are *mandatory* in most cases.
* HTTP protocol auto-negotiation features. Such as rejecting unsupported
Expect: functionality. These are *mandatory* in some circumstances.

> but when squid timeouts or the destination server rejects the
> connection squid returns an error.
> I want squid to just reset the connection with no messages.

Note that some of the responses I qualified with "most cases" "some
circumstances". At present Squid has a blanket sending out of those
responses in all such occurances. This can be improved upon, but simply
does not exist yet in Squid.

Amos
Received on Tue Aug 06 2013 - 13:27:01 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 06 2013 - 12:00:15 MDT