Henrik Nordstrom wrote:
> sön 2009-08-16 klockan 19:17 +1200 skrev Amos Jeffries:
>
>> Aha. Just connect() then? not really bind() or listen()?
>
> Correct. Bind to 0.0.0.0 is "any address".
>
>> I'm thinking that aliasing has already been done before Squid gets such
>> packets at the 'other end'. So that we only see the real localhost IP if
>> its intercepted. Right?
>
> 0.0.0.0 is not valid for use on the wire. I would expect stacks to
> discard such packets.
>
>> Problem might be DNS on forward proxy traffic, but thats validated out
>> of existence to a NXDOMAIN.
>
> ?
>
>> Leaving only hosts file entries. I know 0.0.0.0 is used to boganize
>> domain names at times. Because it doesn't resolve!
>
>> For the intended use of the ACL as you highlight, yes I agree it's a
>> good change. It may not be good for the reality situation though.
>
> Well, it's the same thing so doesn't matter really.
>
>> What about a bogons ACL for less confusion?
>
> dst 0.0.0.0 is not more bogon than dst 127.0.0.1.
>
Yes it is.
Consider the virtual host setup with DNS views:
foo.example.com -> 1.2.3.4 (when the public checks)
foo.example.com -> 127.0.0.1 (when Squid checks)
Squid listening on 1.2.3.4.:80
Apache listening on 127.0.0.1:80
Based on what ACL the admin can see in the config file and what they
need to do squid.conf very often gets this:
http_access allow to_localhost
cache_peer_access apache allow to_localhost
For this usage 127.* is not a bogon at all.
Yet 0.0.0.0 in it's place would be completely insane despite any
trickery the TCP stack might do to cope.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Mon Aug 17 2009 - 02:09:08 MDT
This archive was generated by hypermail 2.2.0 : Mon Aug 17 2009 - 12:00:05 MDT