[squid-users] Caching for download servers

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 5 07:06:54 UTC 2018


On 04/01/18 19:43, Umut Arus wrote:
> Thank you. It seems a nice guide. I mean caching some destinations used 
> for download without doing any setup on client side. Is it possible to 
> use dns to proxy redirection for some destination zones?

No. Well, it may be _possible_ but very, very far from safe.

When intercepting traffic there are some *extremely* nasty security 
issues involved with Host header that have to be avoided. The details 
can be found at 
<https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>.

The only way to safely avoid lots of false errors is to relay traffic to 
the dst-IP the client presents when the security checks fail.

But if you alter DNS so Squid and clients see different things then 
*all* the traffic shows up as forged and the dst-IP will be the proxies 
own IP.

So there is nowhere the proxy can connect to which will provide the 
content needed. Attempts to do so loops infinitely back to the proxy.


Amos


More information about the squid-users mailing list