[squid-users] Inconsistent accessing of the cache, craigslist.org images, wacky stuff.
Amos Jeffries
squid3 at treenet.co.nz
Fri Oct 30 08:50:52 UTC 2015
On 30/10/2015 5:44 p.m., Eliezer Croitoru wrote:
> Hey,
>
> I was convinced that there was an option to disable the host forgery
> test, which will make more sense if you will use bind and will intercept
> all DNS traffic into it.
There is host_verify_strict to set the checking to set it between
super-strict paranoia (on), and allow the one client to be borked but
protect others (off, which is the default).
There is client_dst_passthru to use the client provided dst-IP as first
preferred destination (on), or to do the same server selection as
explicit-proxy traffic does regardless of where the client was trying to
go (off).
* Turning this off can be faster but break sites which make bad
assumptions about end-to-end sessions or otherwise depend on IP-based
security sessions, so the default is on.
* It does not affect the host_verify_strict decision, only applies when
the Host header is detected as okay.
* It does nothing when a cache_peer is being relayed through as the
only upstream option.
>
> About your idea for an upstream cache.
> It's a pretty nice idea, I am pretty sure that the host forgery test can
> be disabled in a case you are using an upstream cache_peer.
Yes, traffic being received at an explicit-proxy syntax (eg. from an
front-end proxy) does not have host verification applied unless you
decide to set the super-paranoid mode to on. Host verification is only
applied on the proxy doing NAT intercept or TPROXY.
Amos
More information about the squid-users
mailing list