On 30/07/11 00:30, Andrew Rogers wrote:
Should I always trust these kind of connections and let them go direct
if the connection has authentication against it with a possible
statement of:-
always_direct allow CONNECT auth
CONNECT are absolutely not trustworthy. The one exception we have to make by
default is port 443 because HTTPS requests need it to transmit the SSL data.
You are free to extend that list to allow known application ports, just be
careful.
So would I need to specify a direct allow for CONNECT& SSL_ports then
something along the line of
_need_ to? no.
always_direct allow CONNECT SSL_ports auth
?
Is it then generally better to have SSL traffic using CONNECT to go
direct and not sent to a cache_peer?
I had one question throwen at me about if we did let SSL traffic go
direct, wound't people be able to log into Porn sites then as this
would have bypassed DG for contect filtering? Would this be true, or
would this not be the case as they would usually have to connect via a
http page first.
Only if your porn control is based solely in the domain name. CONNECT
never even see the paths so regex against those will always fail.
If DG filters were all domain-based and could successfully filter
CONNECT I would question why you bother with DG and the fancy config
instead of just using squid dstdomain ACLs.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.10