[squid-users] TProxy and client_dst_passthru
Amos Jeffries
squid3 at treenet.co.nz
Sat Jul 4 15:04:26 UTC 2015
On 4/07/2015 8:02 p.m., Stakres wrote:
> Hi Amos,
>
> We did tons of tests with the latest Squid versions and this is not the
> behaviour with the "host_verify_strict off" and "client_dst_passthru off".
> With those 2 options OFF, we see a lot of ORIGINAL_DST that we should not
> see if we follow your explainations, so it seems there is a bug somewhere ?
>
Such as?
Enable debug_options 85,3 to see host verify checks and results in action.
> Can you check from your side (tproxy or not, same behaviour), thanks in
> advance.
The tests I have all work as expected, including malware PoC...
When verify passes Squid goes DIRECT (client_dst_passthru off) or
ORIGINAL_DST (client_dst_passthru on). With caching allowed.
When verify fails Squid goes ORIGINAL_DST or NONE (409 rejection). With
caching blocked.
Non-intercepted traffic does not get verified by default
(host_verfy_strict off).
Verified non-intercepted traffic (host_verify_strict on) with URL and
Host header containing identical content is treated normally. 409
rejection for all other.
Amos
More information about the squid-users
mailing list