On 8/7/2012 10:59 AM, Amos Jeffries wrote:
mportant changes to note in this release:* As you should know CVE-2009-0801 security vulnerability protection was added in 3.2 series. Earlier betas attempted to protect peer caches as well as themselves, by blocking relay of untrusted requests until we could implement a safe relay. Due to time constraints this extra layer of peer protection has been REMOVED from 3.2 default builds. Interception cache proxies are themselves well protected against the vulnerability, but can indirectly poison any cache heirarchy they are integrated with. The -DSTRICT_HOST_VERIFY compile-time flag can be defined in CXXFLAGS to re-enable this peer protection if desired. Its use is encouraged, but will result in problems for some popular configurations. ie ISP interception proxy gatewaying through a cache array, matrix of interception proxies as siblings. Use of the client destination IP (ORIGINAL_DST) is still preferred for untrusted requests, so if your proxy is backed by a firewall denial please ensure that the rules are REJECT rules rather than DROP for best performance. never_direct does not affect this routing preference as it does for DIRECT traffic.
I want to verify because i'm a bit confused. can a intercepted request be forwarded to a cache_peer in any way? Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
