Henrik Nordstrom wrote:
sön 2009-08-16 klockan 19:17 +1200 skrev Amos Jeffries:
Aha. Just connect() then? not really bind() or listen()?
Correct. Bind to 0.0.0.0 is "any address".
I'm thinking that aliasing has already been done before Squid gets such
packets at the 'other end'. So that we only see the real localhost IP if
its intercepted. Right?
0.0.0.0 is not valid for use on the wire. I would expect stacks to
discard such packets.
Problem might be DNS on forward proxy traffic, but thats validated out
of existence to a NXDOMAIN.
?
Leaving only hosts file entries. I know 0.0.0.0 is used to boganize
domain names at times. Because it doesn't resolve!
For the intended use of the ACL as you highlight, yes I agree it's a
good change. It may not be good for the reality situation though.
Well, it's the same thing so doesn't matter really.
What about a bogons ACL for less confusion?
dst 0.0.0.0 is not more bogon than dst 127.0.0.1.
Yes it is.
Consider the virtual host setup with DNS views:
foo.example.com -> 1.2.3.4 (when the public checks)
foo.example.com -> 127.0.0.1 (when Squid checks)
Squid listening on 1.2.3.4.:80
Apache listening on 127.0.0.1:80
Based on what ACL the admin can see in the config file and what they
need to do squid.conf very often gets this:
http_access allow to_localhost
cache_peer_access apache allow to_localhost
For this usage 127.* is not a bogon at all.
Yet 0.0.0.0 in it's place would be completely insane despite any
trickery the TCP stack might do to cope.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
