On 13/03/2015 1:52 a.m., Klavs Klavsen wrote: > I'd rather not have to route everything (incl. normal ingoing web > traffic) through the squid box.. and the firewalls are proprietary stuff > - so can't install squid there :) You don't, port 80 TCP is all that *needs* it, and only for the traffic from clients you want to go through Squid. If you are passing outgoing web traffic through Squid the responses (incoming) have to come back through it. If you have external stuff making requests to internal servers, that can be left alone in the same way Squid' outgoing traffic is. Are we talking more or less than 100Mbps of port 80 traffic here? > > It works fine in accel mode.. and I can limit what urls each client ip > is able to access, and disable caching.. > > Shouldn't accel mode, for this use case (curl access from websites - all > using http/1.1 with host header) be good enough - or are there security > issues I am not aware of? You guessed it. CVE-2009-0801 - the Host header is not trustworthy. accel/reverse-proxy mode has no protection at all since the upstream servers are expected to be explicitly configured or the allowed domains restricted to those hosted by the CDN the proxy is part of. ... and the Host header is not always present, though that case has declined a lot in the past few years. > > I realize I move the DNS lookup to the squid box - but that's actually > what I want in this case. Actually you will need two DN lookups to be happening if you use accel. Only the intercept mode with NAT lookups has ability to avoid the second one by using ORIGINAL_DST. accel mode normaly avoids the second DNS lookup by having the upstream servers explicitly configured. You dont want to do that manually for every Internet server in existence so forcing a DNS lookup with "always_direct allow all" is required. Routings your friend, really :-) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users