1. You're forgetting I only refer specific traffic using /etc/hosts to squid.
2. What do you suggest ? I want to use the SNI as the direction of the traffic, not the forwarded IP address.
On Sun, Jan 10, 2016 at 6:30 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 9/01/2016 7:48 a.m., Nir Krakowski wrote:
> This is what needs to be done to get it to work in squid >3.5 in function
> ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const
> Dns::LookupDetails &dns):
>
Hell NO!!!!
clientConn is the state data about the TCP connection the message
arrived on. HTTP and SSL-Bump in no way alter the reality of what
src/dst IPs those TCP packets contain.
There may be a bug needing a fix, but it absolutely is not that patch.
By applying that patch you are allowing a remote sender to both bypass
all your Squid protections, and any network firewall security you may
have external to Squid. While simultaneously recording in your Squid
logs any value of its choosing for the destination IPs of its attack
traffic.
Amos
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
