Re: [squid-users] Squid->DG->Squid

From: Andrew Rogers <andy.rogers_at_andyscomp.f9.co.uk>
Date: Fri, 29 Jul 2011 13:30:31 +0100

>> Should I always trust these kind of connections and let them go direct
>> if the connection has authentication against it with a possible
>> statement of:-
>>
>> always_direct allow CONNECT auth
>
> CONNECT are absolutely not trustworthy. The one exception we have to make by
> default is port 443 because HTTPS requests need it to transmit the SSL data.
> You are free to extend that list to allow known application ports, just be
> careful.

So would I need to specify a direct allow for CONNECT & SSL_ports then
something along the line of

always_direct allow CONNECT SSL_ports auth

?
Is it then generally better to have SSL traffic using CONNECT to go
direct and not sent to a cache_peer?

I had one question throwen at me about if we did let SSL traffic go
direct, wound't people be able to log into Porn sites then as this
would have bypassed DG for contect filtering? Would this be true, or
would this not be the case as they would usually have to connect via a
http page first.

Thanks

Andy
Received on Fri Jul 29 2011 - 12:30:57 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 29 2011 - 12:00:03 MDT