On sön, 2007-11-11 at 20:04 +0900, Adrian Chadd wrote: > It shouldn't be difficult to patch Squid-2.6 to use the original destination IP > if required (if there isn't one already!) but I'm not sure how to work around > the cache poisioning. Henrik, any ideas? Steven did something in that direction in 2.HEAD, making it use the client provided IP if the DNS lookup fails. Not merged to 2.6 as it's not yet fully reviewed, and a new feature.. have a feeling it should be replaced with a new http_port option. I guess that can be tweaked to fall back on the client provided IP if that IP is not in the set of IPs returned by DNS, but cache would still be a bit of an issue. Another path would be to add another http_port flag making intercepted requests on that http_port always use the original destination IP and include that in the cache key. This smells more secure, but will not be very good for the cache.. Regards Henrik
Attachment:
signature.asc
Description: This is a digitally signed message part
