On 22/07/11 15:22, Mikio Kishi wrote:
Hi, Amos
Squid can be used in many ways.
Yes.
In my opinion, if squid users can control tproxy off/on by not only port base
(e.g. http_port XXXX tproxy) but also acl base, it purely becomes
more convenient.
"rm -rf /*" is also a very convenient way to free up disk space on Unix
systems. Convenience does not mean safe or good thing to do.
I pointed out the problems it would create. So far nobody has presented
a need that requires it to be done.
On Thu, Jul 21, 2011 at 7:46 PM, Amos Jeffries wrote:
On 21/07/11 20:55, Mikio Kishi wrote:
Hi,
I think that it's convenient to apply no-tproxy setting only if direct
accessing using tproxy. (For example, when we would like to do tproxy
only if cache peer access)
The image is similar to the "no-tproxy" of "cache_peer". Just like the
following
tproxy_direct on/off (default on)
Problems:
* broken IP-based security assumptions on popular websites (ie hotmail)
* transparent/invisible proxy machine becomes visible to remote server
systems
* proxy targeted DoS attacks become easy
* all NAT problems are re-enabled
What benefits do you see this having?
Noting that the no-tproxy option on cache_peer exists to prevent a handful
of triangular-routing and security trust issues when passing traffic between
peers. Which do not occur on DIRECT traffic unless the network routers or
Squid have been badly configured.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.9
