RE: [squid-users] How squid does Src/Dst IP address matching

I understand the security concern, but if squid is accessed by Users
only within the company and company's intranet is secure enough, then it
is an overkill as DNS is performed twice(Squid being used in transparent
mode), once by the browser and then second time by the Squid.

Shouldn't we have this as configurable through squid.conf file, though
with the disclaimer you wrote earlier. This looks like a good feature to
have.

Like: Disble DNS lookups by Squid, instead use the DST IP address in the
intercepted HTTP requested.
#disable_dns_lookup, hence use Dst IP from the packet

Thanks
Saurabh
-----Original Message-----
From: Amos Jeffries [mailto:squid3@treenet.co.nz]
Sent: Monday, March 24, 2008 10:28 AM
To: Saurabh Agarwal
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] How squid does Src/Dst IP address matching

Saurabh Agarwal wrote:
> Thanks Amos, I have one follow up question though on your reply
>
> src - performs an OS call to retrieve the IP of the other end of the
TCP
>
> connection socket its been given.
>
> dst - retrieves the FQDN being looked up from the request headers, and

> performs a DNS lookup on it to retrieve the address.
>
>>> To determine the dst IP address, why do we don't perform an OS call
> to retrieve the destination IP address. Is it technically possible? If
> yes how? IF we can do it, then we can save some time in the DNS lookup
> that squid performs.

It's possible. Most OS provide sgetsockopt() calls to retrieve them.
Squid does not use these in order to protect its cache against
compromised users.
When trusting the users requested dst-IP a single infected web client
retrieving a bad web page could poison the cache and pass the infection
on to all other users.

Amos

>
> Thanks
> Saurabh
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> Sent: Monday, March 17, 2008 4:01 PM
> To: Saurabh Agarwal
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] How squid does Src/Dst IP address matching
>
> Saurabh Agarwal wrote:
>> Hi
>>
>> Can someone please tell how does squid does the acl evaluation
related
>> to Src/Dst IP address? Like "acl myNet dst 10.0.0.0/255.255.0.0"
>>
>> As I understand squid does not get to know the IP layer information
>> which has the destination IP address field.
>>
>> But in the HTTP header we have the name of the server like
>> "Host mail.yahoo.com", which can be used to determine the destination
> IP
>> Address.
>>
>> Does squid resolves the IP address of mail.yahoo.com before it does
> the
>> Dst Address acls matching or evaluation?
>
>
> With src and dst it differs in the methods of attaining the IP. But
the
> evaluation is identical.
>
> src - performs an OS call to retrieve the IP of the other end of the
TCP
>
> connection socket its been given.
>
> dst - retrieves the FQDN being looked up from the request headers, and

> performs a DNS lookup on it to retrieve the address.
>
> Both then pass the IP to the ACL processing to be checked.
>
> Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.