[squid-users] Squid Intercept - From inside LAN with DNAT on router and docker on host
Amos Jeffries
squid3 at treenet.co.nz
Thu Jul 21 13:48:29 UTC 2016
On 22/07/2016 12:00 a.m., Guilherme Scaglia wrote:
> Amos,
>
>> There is a different config example for REDIRECT <
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
>
> Ty, I'm going to try it using REDIRECT. I was unwilling to follow the DNAT
> guide because of having to enable ip-forwarding in a non-router machine.
> The REDIRECT version seems cleaner and is similar to what I've being doing
> using the embedded proxy on the Mikrotik router.
If that is right I think that is an oversight in the REDIRECT example.
In order to receive packets with destination IP of another machine, the
Squid machine needs to be configured and operating as a router. You
cannot avoid that either, since non-router machines drop those type of
packets at the interface before even iptables gets to see them.
It does not need to route *all* traffic of course. Just the (port 80
only?) stuff delivered to it by the Mikrotik.
>
> Antony,
>
>> That won't work. You *must* perform the DNAT on the machine running Squid
>
> Just for curiosity's sake, why there is such restriction? I thought squid
> didn't entered the picture until after DNAT was done, and that by then it
> wouldn't know where it happened. Does it somehow queries the system to know
> the original request destination? Wouldn't simply relying on the HOST
> header of the request suffice?
>
Because CVE-2009-0801. Using Host header without verifying that its
content is accurate allows attackers to place arbitrary content in your
cache for any URL of their choice. Resulting in all the nasty side
effects you can imagine that ability allows them. There is/was some
active malware as well.
Amos
More information about the squid-users
mailing list