mån 2009-08-17 klockan 10:42 +0200 skrev Matus UHLAR - fantomas: > I say that again: by using such feature any client could poison your cache > by connecting to IP address of a malicious/broken server, requesting _any_ > URI and your cache would remember the content provided by the server as if > it rally was the URI. There is ways to dissolve the poisonous effect. Requires a little effort, but doable. > > This causes the Cisco router to redirect the response to the other > > Squid server which just drops it. > > I think that is a bad configuration on DNS or your network. No. It's a natural consequence of TPROXY+WCCPv2 balancing based on requested IP, with separate DNS lookups done by the client & Squid. You can limit some of it by DNS server hackery to implement IP pinning in the DNS server but not eleminate it. > Or maybe you should properly set up hosts file on machine squid is running > so it would not connect to the another squid. The problem is not the Squids or their hosts table, the problem is that Suqid MAY select another destination IP than the client requested, which causes a mismatch in return traffic redirection when using TPROXY. TPROXY with multiple proxies balanced on destination IP only works if the proxy always selects the exact same destination IP as the client originally did. The workaround is simple, but not without drawbacks.. don't balance on the destination IP, balance on the client IP instead. The solution is to extend Squid to connect to the requested IP on intercepted requests, but requires some extra validations to avoid cache poisoning. Regards Henrik
