On 21/07/11 20:55, Mikio Kishi wrote:
> Hi,
>
> I think that it's convenient to apply no-tproxy setting only if direct
> accessing using tproxy. (For example, when we would like to do tproxy
> only if cache peer access)
> The image is similar to the "no-tproxy" of "cache_peer". Just like the
> following
>
> tproxy_direct on/off (default on)
>
Problems:
* broken IP-based security assumptions on popular websites (ie hotmail)
* transparent/invisible proxy machine becomes visible to remote server
systems
* proxy targeted DoS attacks become easy
* all NAT problems are re-enabled
What benefits do you see this having?
Noting that the no-tproxy option on cache_peer exists to prevent a
handful of triangular-routing and security trust issues when passing
traffic between peers. Which do not occur on DIRECT traffic unless the
network routers or Squid have been badly configured.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9Received on Thu Jul 21 2011 - 10:53:02 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 22 2011 - 12:00:02 MDT