On 8/7/2012 10:59 AM, Amos Jeffries wrote:
mportant changes to note in this release:
* As you should know CVE-2009-0801 security vulnerability protection was
added in 3.2 series.
Earlier betas attempted to protect peer caches as well as themselves, by
blocking relay of untrusted requests until we could implement a safe relay.
Due to time constraints this extra layer of peer protection
has been REMOVED from 3.2 default builds.
Interception cache proxies are themselves well protected against the
vulnerability, but can indirectly poison any cache heirarchy they are
integrated with. The -DSTRICT_HOST_VERIFY compile-time flag can be
defined in CXXFLAGS to re-enable this peer protection if desired. Its
use is encouraged, but will result in problems for some popular
configurations. ie ISP interception proxy gatewaying through a cache
array, matrix of interception proxies as siblings.
Use of the client destination IP (ORIGINAL_DST) is still preferred for
untrusted requests, so if your proxy is backed by a firewall denial
please ensure that the rules are REJECT rules rather than DROP for best
performance. never_direct does not affect this routing preference as it
does for DIRECT traffic.
I want to verify because i'm a bit confused.
can a intercepted request be forwarded to a cache_peer in any way?
Thanks,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
