On Mon, Feb 27, 2012 at 11:01 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: >>> 3.2.0.15+ will do a soft-fail type behaviour, which allows the request >>> through but does not allow caching of the response and only relays the >>> original destination IP. Which hides the problems from client visibility, >>> at >>> cost of some cache HITs. >> >> >> ok interesting - I assume this will be some config option? > > > Not as such. > > There is host_verify_strict directive to *increase* the number of things > validated, including forward-proxy traffic. Which is off by default so only > the minimal checks are done. > > The risk of turning this off entirely is cache poisoning, which immediately > spreads infection across the whole network. Since the action vector to do > the initial infection is so trivial (a client running a website script can > do it without knowing). That is too much risk to allow configuration.
Ok that makes sense - thanks Amos. -- .warren
