Squid configuration directive client_dst_passthru
History:
- Changes in 3.2 client_dst_passthru
-
New setting to disable extra Host: header security on interception proxies. Impacts cache integrity/reliability and client browser security.
IMPORTANT: disabling this directive only allows Squid to change the destination IP to another source indicated by Host: domain DNS or cache_peer configuration. It does not affect Host: validation.
Configuration Details:
| Option Name: | client_dst_passthru |
|---|---|
| Replaces: | |
| Requires: | |
| Default Value: | client_dst_passthru on |
| Suggested Config: |
|
With NAT or TPROXY intercepted traffic Squid may pass the request directly to the original client destination IP or seek a faster source using the HTTP Host header. Using Host to locate alternative servers can provide faster connectivity with a range of failure recovery options. But can also lead to connectivity trouble when the client and server are attempting stateful interactions unaware of the proxy. This option (on by default) prevents alternative DNS entries being located to send intercepted traffic DIRECT to an origin server. The clients original destination IP and port will be used instead. Regardless of this option setting, when dealing with intercepted traffic Squid will verify the Host: header and any traffic which fails Host verification will be treated as if this option were ON. see host_verify_strict for details on the verification process. |
|
Search
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Help Out or Donate
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
Miscellaneous
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork