Re: proposed (minor) changes in squid

From: Marc van Selm <marc.van.selm@dont-contact.us>
Date: Wed, 01 Oct 1997 14:43:18 +0100

At 09:02 PM 10/1/97 +1000, you wrote:
>On Wed, 1 Oct 1997, Anthony Baxter wrote:

>> Sure, but you should notify the people responsible for the domain, not
>> the end users trying to talk to that domain.

Agreed, but...

>How do you know that such domains/hosts exist if Squid (any software for
>that matter) is silently passing requests through?

Not fully silent. My squid-1.1.16 uses syslog for errors like this also
(might be platform dependent. Don't know. It's also in the cache.log but who
reads that every day?) I'm just one of the ones with the Ultra on my desk (I
also do other things with it.)

So I see these kind of "major" errors on my console. They are mostly just
stupid typo's (like spaces) but I was intrigued by some of the errors with
underscores in the host name. I did a host-lookup and found it excited so
they haven't read the RFC's but that were also blocked by the proxy. I kept
an eye on it for a while an found it happened more often. Also our users
don't understand that we are blocking hosts which are on the net but don't
fully comply to the RFC so I decided to add '_' to the list of acceptable
characters in the name.

>Why should cache admins have to keep checking for mistakes made by
>(perhaps well-meaning but otherwise ill-informed and/or inexperienced)
>other admins?

My point exactly. I think a proxy should be transparent. If Netscape or MSIE
can access the site, squid shouldn't be blocking it.

On the other hand. It very good to check the host name because its no use to
load your dns with bogus names.

>If use of Squid is optional for your organisation then who cares? Users
>who feel sufficiently strongly about it will bypass Squid and that's that.

Yep, believe me, we have spend 1 year convincing people it is more efficient
to use a proxy with our limited bandwidth. After that year only 50% of the
users complied and the others had "good" reasons to bypass. That's when we
created a nice router-filter forcing the users. This also implies for the
proxy-manager to be as "transparent" as possible for the user (just a
side-line...)

>And what do you do when the resolver on your Squid server refuses the
>character? What's the point in "breaking" one piece of software only to
>accept the restriction by another piece of software in the chain?

It doesn't (Solaris 2.5) but that's why I suggested to get a compiler-time
config. (-DACCEPT_UNDER)

>This isn't old news, BTW. How many commercial ISPs have yet modified
>Squid to accept the underscore character (serious question)?

No it isn't. It's a serious request though. I have a few "optimizations" and
hacks I always redo in the next squid-version.

Some of them I just don't dare to mention: like a proxy-name and Forwarded
for spoof (just for fun), caching of cookies and temp-redirects (the last
one is used by a few popular sites in The Netherlands for example as a
permanent redirect to the main-page. Again not really according to the
standard but a bit annoying).
These are a bit exotic but the 2 suggestions I raised might have use for the
squid-community in general.

>Cheers..
>

>dave

Cheers again, Marc
---------------------------------------------------------------------
Marc van Selm
NATO C3 Agency
Communication Systems Division, A-Branch
E-Mail: marc.van.selm@nc3a.nato.int
---------------------------------------------------------------------
Private: selm@cistron.nl, selm@het.net, http://www.cistron.nl/~selm
Received on Wed Oct 01 1997 - 05:47:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:14 MST