[squid-users] CVE-2009-0801

dc dc.sqml at ntcomputer.de
Mon Dec 21 13:34:32 UTC 2015


Am 19.12.2015 um 00:52 schrieb Amos Jeffries:
> Why not?
> * NAT/TPROXY is mandatory to happen on the Squid machine directly since
> kernel and Squid are performing integrated operations.
> * PROXY protocol passes the ORIGINAL_DST explicitly over the wire.
> * SSL-Bump all happens "inside Squid".
>
> Those are the only forms of interception Squid supports.
>
Thanks for making that clear! I fixed my setup accordingly. Squid now
gathers original IP addresses from NAT.
I also enabled host_verify_strict, which should make sure requests are
always sent to correct IP addresses. Is there an equivalent setting for
peek-and-spliced HTTPS connections? Or does host_verify_strict cover
that case as well? This would be important, since otherwise a malicious
application could bypass the whitelist ACLs I have installed.

Nikolaus


More information about the squid-users mailing list