On 07/04/2012 05:34 PM, Amos Jeffries wrote:
> On 05.07.2012 10:00, Alex Rousskov wrote:
>>> 3478 - Host verify catching dynamic CDN hosted sites
>>> ** requires designing a CONNECT and bump handling mechanism
>>
>> I am not an expert on this, but it feels like we are trying to enforce a
>> [good] rule ignored by the [bad] real world, especially in interception
>> environments. As a result, Squid lies and scares admins for no good
>> reason (in most cases). We will not win this battle.
>>
>> I suggest that the "host_verify_strict off" behavior is adjusted to
>> cause no harm, even if some malicious requests will get through.
> It does that now. The "no harm" means we can't re-write the request
> headers to something we are not sure about and would actively cause
> problems if we got it wrong.
> The current state is that Squid goes DIRECT, instead of through peers.
> Breaking interception+cluster setups.
That last part means "do harm" to those admins who discover nonworking
setups that used to work fine (from their perspective). I understand
that your definition of "harm" may be different from theirs. This
conflict should be resolved by configuration knobs IMO.
> cache_peer relay is almost completely "disabled" for some major sites.
> Everything else works well.
Well, we can wait for somebody to complain about that and then decide
what to do, I guess. With some luck, nobody will complain.
I certainly do not insist on treating this issue as a blocker for v3.2
"stable" designation; only suggesting ways to close it.
Cheers,
Alex.
Received on Thu Jul 05 2012 - 01:18:35 MDT
This archive was generated by hypermail 2.2.0 : Tue Jul 17 2012 - 12:00:03 MDT