[squid-users] Host header forgery policy in service provider environment

Garri Djavadyan garryd at comnet.uz
Wed Dec 30 11:01:00 UTC 2015

Hello Squid members and developers!

First of all, I wish you a Happy New Year 2016!

The current Host header forgery policy effectively prevents a cache
poisoning. But also, I noticed, it deletes verified earlier cached
object. Is it possible to implement more careful algorithm as an
option? For example, if Squid will not delete earlier successfully
verified and valid cached object and serve forged request from the
cache if would be more effective and in same time secure behavior.

For example, in service provider tproxy environment, it is almost
impossible to effectively optimize content delivery from sophisticated
CDNs, such as appldnld.apple.com, iosapps.itunes.apple.com. For the
latter domain, DNS servers return different pairs of A records for same
host every 15 seconds regardless of Geo location. For the former
domain, local DNS servers and public DNS servers (Google) return
different records. As I emphasized SP environment, it is not possible
to control DNS settings on subscriber systems.

Thank you for attention!

Garri Djavadyan
iPlus LLC, TM Comnet, Technical Department
Phone: +99871 2333335 (ext. 27)

More information about the squid-users mailing list