On 10/23/2013 07:55 AM, Amos Jeffries wrote: > On 24/10/2013 1:47 a.m., Plamen wrote: >> how to disable squid resolving every request if it is running in TPROXY >> mode? > If you are planning to use cache storage at all this is not a good > choice. Agreed. However, it is possible to make caching work safely (but not efficiently) by telling Squid to associate the cache entry with the client-provided IP in addition to all the other things like the domain name and the URL path. This would be an optional feature available to transparent deployments where client DNS server(s) cannot be made identical to Squid DNS server(s). >> Technically squid doesn't need to do dns resolving in this mode of >> operation so probably there is a way to configure this. > > Technically Squid *does* need to do this resolving if Squid is going to > do its job and locate the fastest possible source. AFAICT, the optional "fastest possible source" optimization may not be very important in this particular case. Delivering a valid response to the client is. In some cases, neither would be possible, but I suspect there are deployments where Squid can reach the client-resolved origin server even if it cannot resolve its name. > The semi-random IP > choice made by the client his based on client capabilities and network > view which are all irrelevant on the proxy upstream connection. Beyond > that the DNS is used to validate the client is trustworthy enough to > cache their traffic and re-use for others. I agree that cache safety is a major concern here. If the feature discussed above is implemented, Squid cache will remain safe because Squid will refuse to serve previously cached entries with name:IP mapping different from that of the requesting client, right? Store ID offers a partial solution here if Squid is configured to send client-provided destination IP address to the Store ID helper. Alternatively, Squid can add IP addresses to store keys internally when this feature is enabled. The other missing piece would be to disable DNS queries (and caching of their results) in Squid in favor of the client-provided destination IP address. It may be difficult to implement all of this neatly, but probably not impossible. HTH, Alex.
