Re: [squid-users] Host header forgery policy in service provider environment

2016-01-06 Thread Amos Jeffries 
On 6/01/2016 10:10 p.m., Garri Djavadyan wrote:
>> On 2015-12-31 00:01, Garri Djavadyan wrote:
>>> Hello Squid members and developers!
>>>
>>> First of all, I wish you a Happy New Year 2016!
>>>
>>> The current Host header forgery policy effectively prevents a cache
>>> poisoning. But also, I noticed, it deletes verified earlier cached
>>> object. Is it possible to implement more careful algorithm as an
>>> option? For example, if Squid will not delete earlier successfully
>>> verified and valid cached object and serve forged request from the
>>> cache if would be more effective and in same time secure behavior.
>>
>>
>> This seems to be describing 
>> 
>>
>> So far we don't have a solution. Patches very welcome.
>>
>> Amos
> 
> Amos, can recheck the bug report? I found the root cause of the problem
> and presented possible prototype solution, which solves the problem in
> my environment. Thank you in advance!


Got the bug update notice. The double-check may take a while to track
down all the side effects. Thank you very much in advance anyhow. :-)

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Host header forgery policy in service provider environment

2016-01-06 Thread Garri Djavadyan 
>On 2015-12-31 00:01, Garri Djavadyan wrote:
>> Hello Squid members and developers!
>> 
>> First of all, I wish you a Happy New Year 2016!
>> 
>> The current Host header forgery policy effectively prevents a cache
>> poisoning. But also, I noticed, it deletes verified earlier cached
>> object. Is it possible to implement more careful algorithm as an
>> option? For example, if Squid will not delete earlier successfully
>> verified and valid cached object and serve forged request from the
>> cache if would be more effective and in same time secure behavior.
>
>
>This seems to be describing 
>
>
>So far we don't have a solution. Patches very welcome.
>
>Amos

Amos, can recheck the bug report? I found the root cause of the problem
and presented possible prototype solution, which solves the problem in
my environment. Thank you in advance!
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Host header forgery policy in service provider environment

2016-01-01 Thread garryd 

On 2015-12-31 13:31, Amos Jeffries wrote:

On 2015-12-31 00:01, Garri Djavadyan wrote:

Hello Squid members and developers!

First of all, I wish you a Happy New Year 2016!

The current Host header forgery policy effectively prevents a cache
poisoning. But also, I noticed, it deletes verified earlier cached
object. Is it possible to implement more careful algorithm as an
option? For example, if Squid will not delete earlier successfully
verified and valid cached object and serve forged request from the
cache if would be more effective and in same time secure behavior.



This seems to be describing 



So far we don't have a solution. Patches very welcome.

Amos


Amos, thank you very much, bug 
 exactly the same 
problem I encountered! I've tested the proposed patch and updated the 
bug report.


Kind Regards,
Garri
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Host header forgery policy in service provider environment

2015-12-31 Thread Amos Jeffries 

On 2015-12-31 00:01, Garri Djavadyan wrote:

Hello Squid members and developers!

First of all, I wish you a Happy New Year 2016!

The current Host header forgery policy effectively prevents a cache
poisoning. But also, I noticed, it deletes verified earlier cached
object. Is it possible to implement more careful algorithm as an
option? For example, if Squid will not delete earlier successfully
verified and valid cached object and serve forged request from the
cache if would be more effective and in same time secure behavior.



This seems to be describing 



So far we don't have a solution. Patches very welcome.

Amos

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Host header forgery policy in service provider environment

2015-12-30 Thread Garri Djavadyan 
Hello Squid members and developers!

First of all, I wish you a Happy New Year 2016!

The current Host header forgery policy effectively prevents a cache
poisoning. But also, I noticed, it deletes verified earlier cached
object. Is it possible to implement more careful algorithm as an
option? For example, if Squid will not delete earlier successfully
verified and valid cached object and serve forged request from the
cache if would be more effective and in same time secure behavior.

For example, in service provider tproxy environment, it is almost
impossible to effectively optimize content delivery from sophisticated
CDNs, such as appldnld.apple.com, iosapps.itunes.apple.com. For the
latter domain, DNS servers return different pairs of A records for same
host every 15 seconds regardless of Geo location. For the former
domain, local DNS servers and public DNS servers (Google) return
different records. As I emphasized SP environment, it is not possible
to control DNS settings on subscriber systems.

Thank you for attention!

-- 
Garri Djavadyan
iPlus LLC, TM Comnet, Technical Department
Phone: +99871 235 (ext. 27)
http://comnet.uz


___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users