On 28.02.2012 01:08, Warren Baker wrote:
On Mon, Feb 27, 2012 at 12:58 PM, Amos Jeffries wrote:
It is best to consider interception an action of last resort, for
this any
many other reasons.
yeah of course.
3.2.0.15+ will do a soft-fail type behaviour, which allows the
request
through but does not allow caching of the response and only relays
the
original destination IP. Which hides the problems from client
visibility, at
cost of some cache HITs.
ok interesting - I assume this will be some config option?
Not as such.
There is host_verify_strict directive to *increase* the number of
things validated, including forward-proxy traffic. Which is off by
default so only the minimal checks are done.
The risk of turning this off entirely is cache poisoning, which
immediately spreads infection across the whole network. Since the action
vector to do the initial infection is so trivial (a client running a
website script can do it without knowing). That is too much risk to
allow configuration.
Amos
