On 07/04/2012 05:34 PM, Amos Jeffries wrote: > On 05.07.2012 10:00, Alex Rousskov wrote: >>> 3478 - Host verify catching dynamic CDN hosted sites >>> ** requires designing a CONNECT and bump handling mechanism >> >> I am not an expert on this, but it feels like we are trying to enforce a >> [good] rule ignored by the [bad] real world, especially in interception >> environments. As a result, Squid lies and scares admins for no good >> reason (in most cases). We will not win this battle. >> >> I suggest that the "host_verify_strict off" behavior is adjusted to >> cause no harm, even if some malicious requests will get through.
> It does that now. The "no harm" means we can't re-write the request > headers to something we are not sure about and would actively cause > problems if we got it wrong. > The current state is that Squid goes DIRECT, instead of through peers. > Breaking interception+cluster setups. That last part means "do harm" to those admins who discover nonworking setups that used to work fine (from their perspective). I understand that your definition of "harm" may be different from theirs. This conflict should be resolved by configuration knobs IMO. > cache_peer relay is almost completely "disabled" for some major sites. > Everything else works well. Well, we can wait for somebody to complain about that and then decide what to do, I guess. With some luck, nobody will complain. I certainly do not insist on treating this issue as a blocker for v3.2 "stable" designation; only suggesting ways to close it. Cheers, Alex.
