On 8/10/2012 2:32 PM, Amos Jeffries wrote:
On 10/08/2012 10:54 p.m., Eliezer Croitoru wrote:
On 8/9/2012 4:47 AM, Amos Jeffries wrote:
On 09.08.2012 12:32, Eliezer Croitoru wrote:
On 8/9/2012 2:16 AM, Amos Jeffries wrote:
Releases 3.2.0.14->3.2.0.18 have a standing block preventing requests
with conflicting destination IP and destination domain name being
passed
to peers.
Release 3.2.0.19 loosens that block to allow it, but only if the
clients
original destination IP (ORIGINAL_DST) is non-contactable by the
proxy.
BUT, ... checking your config file there is a bigger problem, and a
relatively large amount of useless ACL checks ...
and let say i want to loosen it a bit more?
How much more?
to relay known dangerous traffic to peers as if it were safe?
or just to obey never_direct?
flag it as safe... because it is a local one that is safe.
i am talking only on http traffic and not https.
Please try 3.2.0.19 with this extra patch:
http://ww.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch
the link should be:
http://www.squid-cache.org/Versions/v3/3.2/changesets/squid-3.2-11644.patch
and it works like a charm. :)
now I noticed that the url_rewrite_concurrency was changed and it's nice.
maybe an options can be added to the build of 3.2 to use some safty
modes on cache_peer? or maybe a flag that will mark cache_peer as safe?
Thanks,
Eliezer
It removes the preference bias for ORIGINAL_DST over peers.
Amos
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il