Hi, Amos Squid can be used in many ways. In my opinion, if squid users can control tproxy off/on by not only port base (e.g. http_port XXXX tproxy) but also acl base, it purely becomes more convenient. Sincerely, -- Mikio Kishi On Thu, Jul 21, 2011 at 7:46 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 21/07/11 20:55, Mikio Kishi wrote: >> >> Hi, >> >> I think that it's convenient to apply no-tproxy setting only if direct >> accessing using tproxy. (For example, when we would like to do tproxy >> only if cache peer access) >> The image is similar to the "no-tproxy" of "cache_peer". Just like the >> following >> >> tproxy_direct on/off (default on) >> > > Problems: > * broken IP-based security assumptions on popular websites (ie hotmail) > * transparent/invisible proxy machine becomes visible to remote server > systems > * proxy targeted DoS attacks become easy > * all NAT problems are re-enabled > > > What benefits do you see this having? > > > Noting that the no-tproxy option on cache_peer exists to prevent a handful > of triangular-routing and security trust issues when passing traffic between > peers. Which do not occur on DIRECT traffic unless the network routers or > Squid have been badly configured. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.14 > Beta testers wanted for 3.2.0.9 >
