On 4/07/2015 8:02 p.m., Stakres wrote: > Hi Amos, > > We did tons of tests with the latest Squid versions and this is not the > behaviour with the "host_verify_strict off" and "client_dst_passthru off". > With those 2 options OFF, we see a lot of ORIGINAL_DST that we should not > see if we follow your explainations, so it seems there is a bug somewhere ? > Such as? Enable debug_options 85,3 to see host verify checks and results in action. > Can you check from your side (tproxy or not, same behaviour), thanks in > advance. The tests I have all work as expected, including malware PoC... When verify passes Squid goes DIRECT (client_dst_passthru off) or ORIGINAL_DST (client_dst_passthru on). With caching allowed. When verify fails Squid goes ORIGINAL_DST or NONE (409 rejection). With caching blocked. Non-intercepted traffic does not get verified by default (host_verfy_strict off). Verified non-intercepted traffic (host_verify_strict on) with URL and Host header containing identical content is treated normally. 409 rejection for all other. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users