On 21/07/11 20:55, Mikio Kishi wrote:
Hi,
I think that it's convenient to apply no-tproxy setting only if direct
accessing using tproxy. (For example, when we would like to do tproxy
only if cache peer access)
The image is similar to the "no-tproxy" of "cache_peer". Just like the
following
tproxy_direct on/off (default on)
Problems:
* broken IP-based security assumptions on popular websites (ie hotmail)
* transparent/invisible proxy machine becomes visible to remote server
systems
* proxy targeted DoS attacks become easy
* all NAT problems are re-enabled
What benefits do you see this having?
Noting that the no-tproxy option on cache_peer exists to prevent a
handful of triangular-routing and security trust issues when passing
traffic between peers. Which do not occur on DIRECT traffic unless the
network routers or Squid have been badly configured.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.9
