git.ipfire.org Git - thirdparty/squid.git/commit

author	Amos Jeffries <squid3@treenet.co.nz>
	Sun, 29 Jul 2012 08:15:17 +0000 (02:15 -0600)
committer	Amos Jeffries <squid3@treenet.co.nz>
	Sun, 29 Jul 2012 08:15:17 +0000 (02:15 -0600)
commit	7177edfbf71bde03342da16925b3c71d6c77f3dd
tree	09c03b6b10e8b3f2c1be6c482661e25a30710a93	tree
parent	fdde4c47c2c251b5cdf63c6c60a8a595ef3dccea	commit \| diff

Bug 3478: Allow peer selection

This re-enables Squid peer selection algorithms for intercepted
traffic which has failed Host header verification.

When host verification fails Squid will use, in order of preference:
* an already PINNED server connection
* the client ORIGINAL_DST details
* cache_peer as chosen by selection algorithms

NOTE: whenever DIRECT is selected by routing algorithms the
      ORIGINAL_DST is used instead.

Peer selection results are updated to display PINNED and
ORIGINAL_DST alongside DIRECT and cache_peer.

SECURITY NOTE:

  At this point Squid will pass the request to cache_peer using the
  non-trusted Host header in their URLs. Meaning that the peers
  may still be poisoned by CVE-2009-0801 attacks. Only the initial
  intercepting proxy is protected.

  Full protection against CVE-2009-0801 can be enjoyed by building
  Squid with the -DSTRICT_HOST_VERIFY compile-time flag. This will
  make the peers unreachable for intercepted traffic where the
  Host verification has failed.

src/cf.data.pre		diff \| blob \| blame \| history
src/forward.cc		diff \| blob \| blame \| history
src/peer_select.cc		diff \| blob \| blame \| history