On 06/27/2014 09:00 AM, Lawrence Pingree wrote:
> forwarded_for delete
> via off
>
> I realize this breaks the RFC,
More importantly, it breaks Squid's loop detection mechanism. In many
environments, breaking that mechanism creates an easy-to-abuse Squid DoS
attack vector.
Modern Squids have a workaround that can partially restore the loop
cutting code AFAICT: Consider adding
request_header_add X-UseSomeUniqueNameHere useAnyValueHere all
to your squid.conf so that looping HTTP request headers get larger and
larger with every iteration until Squid refuses to process the looping
request. To cut loops faster, you can also deny incoming requests that
carry that unique-to-your-setup header.
HTH,
Alex.
Received on Fri Jun 27 2014 - 15:33:21 MDT
This archive was generated by hypermail 2.2.0 : Sat Jun 28 2014 - 12:00:06 MDT