On 22/07/11 15:22, Mikio Kishi wrote:
> Hi, Amos
>
> Squid can be used in many ways.
Yes.
> In my opinion, if squid users can control tproxy off/on by not only port base
> (e.g. http_port XXXX tproxy) but also acl base, it purely becomes
> more convenient.
"rm -rf /*" is also a very convenient way to free up disk space on Unix
systems. Convenience does not mean safe or good thing to do.
I pointed out the problems it would create. So far nobody has presented
a need that requires it to be done.
> On Thu, Jul 21, 2011 at 7:46 PM, Amos Jeffries wrote:
>> On 21/07/11 20:55, Mikio Kishi wrote:
>>>
>>> Hi,
>>>
>>> I think that it's convenient to apply no-tproxy setting only if direct
>>> accessing using tproxy. (For example, when we would like to do tproxy
>>> only if cache peer access)
>>> The image is similar to the "no-tproxy" of "cache_peer". Just like the
>>> following
>>>
>>> tproxy_direct on/off (default on)
>>>
>>
>> Problems:
>> * broken IP-based security assumptions on popular websites (ie hotmail)
>> * transparent/invisible proxy machine becomes visible to remote server
>> systems
>> * proxy targeted DoS attacks become easy
>> * all NAT problems are re-enabled
>>
>>
>> What benefits do you see this having?
>>
>>
>> Noting that the no-tproxy option on cache_peer exists to prevent a handful
>> of triangular-routing and security trust issues when passing traffic between
>> peers. Which do not occur on DIRECT traffic unless the network routers or
>> Squid have been badly configured.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.14 Beta testers wanted for 3.2.0.9Received on Fri Jul 22 2011 - 04:26:40 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 22 2011 - 12:00:03 MDT