Search squid archive

Re: Re: SQUID in TPROXY - do not resolve

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 31/10/2013 7:52 a.m., Dr.x wrote:
hi amos ,

my request is ,
i dont want to install squidguar don my machine , i want to use dns of squid
except of that

i mean i want to direct squid to norton dns , and in this case if the dns of
clients and squid didnt match ,
the website or the request of client must be blocked !

iive tried :

client_dst_passthru off
host_verify_strict on

but no luck ,  the client  still can bypass the webfiltering  !!!!
?? with host_verify_strict on any client who fails the verification gets an error page. They are not permitted through by Squid. Not even to receive HITs.

Are you certain these clients were using HTTP and not using some other protocol such as SPDY, WebSockets, or CoAP? or somehow bypassing the interception itself?

i  mean it is supposed that client visit the  destination ip result from
squid dns resovling , not the ip result from its resolving !!


but uptill now , althoug i put the two directives above, the client still
visit the ip resulted from its dns resolving !

"client_dst_passthru off" only means that Squid is *allowed* to use other IPs if it needs to, it does not have to (and what happens when the site only has 1 IP anyway?). To improve transparency and reliability of any assumptions the client application is making Squid uses it anyway after verification.

Note that for verify to succeed Squid MUST have resolved that IP as one of the hosts legitimate IPs - so it was probably going to be used by Squid and called "DIRECT" anyway. The only difference between ORIGINAL_DST and DIRECT when verify succeeds is the risk of client-server application level systems breaking (none when ORIGINAL_DST is used, some small risk when DIRECT is used).

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux