Re: [squid-users] no tproxy setting only if direct access

From: Mikio Kishi <mkishi_at_104.net>
Date: Fri, 22 Jul 2011 12:22:37 +0900

Hi, Amos

Squid can be used in many ways.
In my opinion, if squid users can control tproxy off/on by not only port base
(e.g. http_port XXXX tproxy) but also acl base, it purely becomes
more convenient.

Sincerely,

--
Mikio Kishi
On Thu, Jul 21, 2011 at 7:46 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 21/07/11 20:55, Mikio Kishi wrote:
>>
>> Hi,
>>
>> I think that it's convenient to apply no-tproxy setting only if direct
>> accessing using tproxy. (For example, when we would like to do tproxy
>> only if cache peer access)
>> The image is similar to the "no-tproxy" of "cache_peer". Just like the
>> following
>>
>>  tproxy_direct on/off (default on)
>>
>
> Problems:
>  * broken IP-based security assumptions on popular websites (ie hotmail)
>  * transparent/invisible proxy machine becomes visible to remote server
> systems
>  * proxy targeted DoS attacks become easy
>  * all NAT problems are re-enabled
>
>
> What benefits do you see this having?
>
>
> Noting that the no-tproxy option on cache_peer exists to prevent a handful
> of triangular-routing and security trust issues when passing traffic between
> peers. Which do not occur on DIRECT traffic unless the network routers or
> Squid have been badly configured.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.14
>  Beta testers wanted for 3.2.0.9
>
Received on Fri Jul 22 2011 - 03:22:45 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 22 2011 - 12:00:03 MDT