Search squid archive

Re: no tproxy setting only if direct access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/07/11 20:55, Mikio Kishi wrote:
Hi,

I think that it's convenient to apply no-tproxy setting only if direct
accessing using tproxy. (For example, when we would like to do tproxy
only if cache peer access)
The image is similar to the "no-tproxy" of "cache_peer". Just like the
following

  tproxy_direct on/off (default on)


Problems:
 * broken IP-based security assumptions on popular websites (ie hotmail)
* transparent/invisible proxy machine becomes visible to remote server systems
 * proxy targeted DoS attacks become easy
 * all NAT problems are re-enabled


What benefits do you see this having?


Noting that the no-tproxy option on cache_peer exists to prevent a handful of triangular-routing and security trust issues when passing traffic between peers. Which do not occur on DIRECT traffic unless the network routers or Squid have been badly configured.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.14
  Beta testers wanted for 3.2.0.9


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux