On 2014-07-04 15:19, winetbox wrote:
This is because of the fix for CVE-2009-0801. NAT on a separate
machine
has never actually worked properly even in 2.7. The fix we have in
current Squid involves verifying the TCP destination IP, which also
enforces that NAT is performed on the Squid machine instead of
remotely.
You need to use policy routing or similar mechanisms on the router to
get the packets to the Squid machine unchanged for interception to
work.
Amos
on the contrary, my setup was working perfectly on those versions,
because
i'm not using the same machine for NAT routing. for routing, i leave
everything on mikrotik, what squid do is only accept redirected request
from
mikrotik.
TCP connections arriving at Squid had corrupted destination IP address
due to NAT changes on the microtik. Old squid used to *guess* the
destination based on Host: header in the HTTP request. This was proven
to be a mistake (see CVE details) and current versions use the original
dst IP (http://www.squid-cache.org/Doc/config/client_dst_passthru/).
Amos
