Re: [squid-users] Transparent squid ignores client-side /etc/hosts

From: Adrian Chadd <adrian@dont-contact.us>
Date: Sun, 11 Nov 2007 21:17:40 +0900

On Sun, Nov 11, 2007, Alex Vorona wrote:

> >>I got transparent squid 2.6 on Linux box via iptables REDIRECT. All
> >>works fine, but squid actually ignores original DST IP in hijacked
> >>connection and uses Host header to resolve to IP and then connects to
> >>that IP.
> >
> >I believe thats a security feature.

> This is acceptable, but not in transparent proxy.
> Maybe I want to test my google on IP 1.1.1.1, but I can't :)

> >Allowing the client to control
> >the Host: name to destination IP mapping makes for some pretty horrible
> >cache poisoning possibilities.

> Yes, it is. Maybe correct proxying of such requests without caching
> will be solution?

Sure; as long as the DNS lookup is done and the IP address matches one of
those.

I'm sure it wouldn't be difficult to implement; someone just needs to sponsor
the code work or actually do the work. Please throw this request into the
Squid bugzilla as a feature request.

Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Received on Sun Nov 11 2007 - 05:14:15 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST