Re: [squid-users] When worlds collide

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 14 Jul 2008 00:08:44 +1200

Paul Bertain wrote:
> What I should have said was put an entry in /etc/hosts and then modify
> /etc/nsswitch.conf on the Squid box so that it sees that same host as
> valid.

You could. Although by using the internal DNS resolver for just squid,
you only need to add the entry to /etc/hosts. Squid loads the hosts file
to prime its internal DNS resolver.

That would be the easiest way to configure it yes. But it makes the site
available to all users of Squid. Not just the one client.

Amos

>
> On Jul 12, 2008, at 10:36 PM, Paul Bertain wrote:
>
>> Would it work to put an entry on the Squid machine and to make sure
>> that /etc/nsswitch.conf has "hosts: files dns"?
>>
>> That way, Squid sees it the same way, which is what it looks like Tuc
>> is trying to do.
>>
>> Paul
>>
>> On Jul 12, 2008, at 8:55 PM, Amos Jeffries wrote:
>>
>>> Tuc at T-B-O-H.NET wrote:
>>>> Hi,
>>>> Running into a problem, not sure if or how to handle it.
>>>> User running windows has an entry in their (Windows
>>>> equiv of /etc/hosts) that says :
>>>> 192.168.3.10 SNEAKY.EXAMPLE.COM
>>>> For the rest of the world, SNEAKY.EXAMPLE.COM doesn't
>>>> exist (NXDOMAIN).
>>>> Without squid in transparent/WCCP2 mode, it appears that the
>>>> user contacts 192.168.3.10 and does his thing. With squid+
>>>> transparent+WCCP2, we end up with 503's. Is there even a way to
>>>> be able to address this, or is
>>>> the user just going to be out of luck period?
>>>
>>> Out of luck. Domain hijacking like this is precisely why squid
>>> doesn't trust the client-given dst IP in transparent mode.
>>>
>>> They will have to:
>>>
>>> a) connect to that domain using raw IP address in the URL.
>>>
>>> b) negotiate with the proxy admin to configure the proxy to
>>> selectively do the SNEAKY.EXAMPLE.COM redirect for them.
>>>
>>> Amos
>>> --
>>> Please use Squid 2.7.STABLE3 or 3.0.STABLE7
>>
>

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE7
Received on Sun Jul 13 2008 - 12:08:42 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 13 2008 - 12:00:04 MDT