On Sun, Nov 11, 2007, Alex Vorona wrote: > >>I got transparent squid 2.6 on Linux box via iptables REDIRECT. All > >>works fine, but squid actually ignores original DST IP in hijacked > >>connection and uses Host header to resolve to IP and then connects to > >>that IP. > > > >I believe thats a security feature. > This is acceptable, but not in transparent proxy. > Maybe I want to test my google on IP 1.1.1.1, but I can't :) > >Allowing the client to control > >the Host: name to destination IP mapping makes for some pretty horrible > >cache poisoning possibilities. > Yes, it is. Maybe correct proxying of such requests without caching > will be solution? Sure; as long as the DNS lookup is done and the IP address matches one of those. I'm sure it wouldn't be difficult to implement; someone just needs to sponsor the code work or actually do the work. Please throw this request into the Squid bugzilla as a feature request. Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
