Squid: Critical bug



  • Hi all,

    By accident I stumbled on a critical bug in squid which brakes functionality of both squid and dependent other packages like squidguard. The bug relates to transparent proxy and is present in both squid 2.x and 3.x.

    Scenario: You need to bypass curtain addresses from squid so you enter a domain (not an IP) in 'Bypass proxy for these destination IPs'. If the entered domain is typed in wrong so DNS fails squid fails to start an logs this to the log. Saidly the GUI does not identify this so the GUI shows squid is running when it in fact is running in pass-through mode.

    Result: The transparent proxy and any dependent other packages like squidguard simply passed every package through disregarding any rulesets.


  • Rebel Alliance Developer Netgate

    That's not a critical bug, it's a well-understood limitation. Use aliases there, not hostnames. Using hostnames there doesn't do what people want 99% of the time anyhow.



  • A configuration error which resolves in a malfunctioning proxy server that is displayed in the GUI as if everything is OK is "well-understood limitation"!

    I can agree to that it is a limitation by design but I find it scary that the GUI signals that everything is OK.


  • Rebel Alliance Developer Netgate

    The GUI does not and cannot know that the hostname was mistyped. It doesn't verify that it resolves. It puts the address into the ruleset and then, some time later, pf will note that it failed to resolve.

    Take the safe route and place hostnames in an alias and reference the alias in the bypass lists. That way even if it's typo'd the worse you'd see is a log message saying that one host couldn't be resolved.



  • I think you have misunderstood me. I did not just stop filter that hostname. It simply stopped filtering anything.


Log in to reply