On Sun, Nov 11, 2007, Alex Vorona wrote:
> >>I got transparent squid 2.6 on Linux box via iptables REDIRECT. All
> >>works fine, but squid actually ignores original DST IP in hijacked
> >>connection and uses Host header to resolve to IP and then connects to
> >>that IP.
> >
> >I believe thats a security feature.
> This is acceptable, but not in transparent proxy.
> Maybe I want to test my google on IP 1.1.1.1, but I can't :)
> >Allowing the client to control
> >the Host: name to destination IP mapping makes for some pretty horrible
> >cache poisoning possibilities.
> Yes, it is. Maybe correct proxying of such requests without caching
> will be solution?
Sure; as long as the DNS lookup is done and the IP address matches one of
those.
I'm sure it wouldn't be difficult to implement; someone just needs to sponsor
the code work or actually do the work. Please throw this request into the
Squid bugzilla as a feature request.
Adrian
-- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -Received on Sun Nov 11 2007 - 05:14:15 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST