On 22/07/2016 12:00 a.m., Guilherme Scaglia wrote: > Amos, > >> There is a different config example for REDIRECT < > http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect> > > Ty, I'm going to try it using REDIRECT. I was unwilling to follow the DNAT > guide because of having to enable ip-forwarding in a non-router machine. > The REDIRECT version seems cleaner and is similar to what I've being doing > using the embedded proxy on the Mikrotik router. If that is right I think that is an oversight in the REDIRECT example. In order to receive packets with destination IP of another machine, the Squid machine needs to be configured and operating as a router. You cannot avoid that either, since non-router machines drop those type of packets at the interface before even iptables gets to see them. It does not need to route *all* traffic of course. Just the (port 80 only?) stuff delivered to it by the Mikrotik. > > Antony, > >> That won't work. You *must* perform the DNAT on the machine running Squid > > Just for curiosity's sake, why there is such restriction? I thought squid > didn't entered the picture until after DNAT was done, and that by then it > wouldn't know where it happened. Does it somehow queries the system to know > the original request destination? Wouldn't simply relying on the HOST > header of the request suffice? > Because CVE-2009-0801. Using Host header without verifying that its content is accurate allows attackers to place arbitrary content in your cache for any URL of their choice. Resulting in all the nasty side effects you can imagine that ability allows them. There is/was some active malware as well. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
