[squid-users] Caching for download servers
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 5 07:06:54 UTC 2018
On 04/01/18 19:43, Umut Arus wrote:
> Thank you. It seems a nice guide. I mean caching some destinations used
> for download without doing any setup on client side. Is it possible to
> use dns to proxy redirection for some destination zones?
No. Well, it may be _possible_ but very, very far from safe.
When intercepting traffic there are some *extremely* nasty security
issues involved with Host header that have to be avoided. The details
can be found at
<https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>.
The only way to safely avoid lots of false errors is to relay traffic to
the dst-IP the client presents when the security checks fail.
But if you alter DNS so Squid and clients see different things then
*all* the traffic shows up as forged and the dst-IP will be the proxies
own IP.
So there is nowhere the proxy can connect to which will provide the
content needed. Attempts to do so loops infinitely back to the proxy.
Amos
More information about the squid-users
mailing list