Am 19.12.2015 um 00:52 schrieb Amos Jeffries: > Why not? > * NAT/TPROXY is mandatory to happen on the Squid machine directly since > kernel and Squid are performing integrated operations. > * PROXY protocol passes the ORIGINAL_DST explicitly over the wire. > * SSL-Bump all happens "inside Squid". > > Those are the only forms of interception Squid supports. > Thanks for making that clear! I fixed my setup accordingly. Squid now gathers original IP addresses from NAT. I also enabled host_verify_strict, which should make sure requests are always sent to correct IP addresses. Is there an equivalent setting for peek-and-spliced HTTPS connections? Or does host_verify_strict cover that case as well? This would be important, since otherwise a malicious application could bypass the whitelist ACLs I have installed.
Nikolaus _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
