On 2014-07-04 15:19, winetbox wrote:
>> This is because of the fix for CVE-2009-0801. NAT on a separate
>> machine
>> has never actually worked properly even in 2.7. The fix we have in
>> current Squid involves verifying the TCP destination IP, which also
>> enforces that NAT is performed on the Squid machine instead of
>> remotely.
>> You need to use policy routing or similar mechanisms on the router to
>> get the packets to the Squid machine unchanged for interception to
>> work.
>>
>> Amos
>
> on the contrary, my setup was working perfectly on those versions,
> because
> i'm not using the same machine for NAT routing. for routing, i leave
> everything on mikrotik, what squid do is only accept redirected request
> from
> mikrotik.
TCP connections arriving at Squid had corrupted destination IP address
due to NAT changes on the microtik. Old squid used to *guess* the
destination based on Host: header in the HTTP request. This was proven
to be a mistake (see CVE details) and current versions use the original
dst IP (http://www.squid-cache.org/Doc/config/client_dst_passthru/).
Amos
Received on Fri Jul 04 2014 - 12:56:10 MDT
This archive was generated by hypermail 2.2.0 : Fri Jul 04 2014 - 12:00:05 MDT