Search squid archive

Re: [PATCH] Host header forgery detected even with appendDomain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/09/11 18:54, Jeff Chua wrote:


Amos,

Latest squid is prevent connection to my known servers without local
domain name. The version prior to June 15 allow connecting to URLs
without the fully qualified domain names as in "moose" instead of
"moose.xxx.com"

The latest squid is throw the follwing error:

2011/09/13 09:17:53.420 kid1| SECURITY ALERT: Host header forgery detected
on local=192.168.243.1:8080 remote=192.168.243.1:59291 FD 11 flags=1
(moose does not match moose.xxx.com)


Here's a patch to get around the problem. By specifying "append_domain
.xxx.com", squid should allows host that matches the domain part. This is
useful for get back the old behavior so I don't need to type the full
URLs for many sites at work I'm dealing with.


Thank you for reporting this.

The header forgery detection of regular proxy traffic only that the URL domain name matches the Host: header content. Some RFC mandated leniency permits the protocol default port to be optional on top of this.

Domain names with no dots are legitimate public FQDN. The URL is expected to contain the abbreviated hostname and the Host: header also contain that abbreviated name. Such that both match and pass under exactly the same criteria as any other traffic.

For example, these requests are regular traffic through my test Squid:
2011/09/13 20:07:43.843| HTTP Client REQUEST:
---------
GET http://troja/ HTTP/1.1
Host: troja
User-Agent: Mozilla/5.0 (X11; Linux i686) <snip>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-nz, en;q=0.90


----------

Squid applied append_domain only later in the processing.


If your client agent is requesting a mixture of no-dots and dotted domain names something is broken outside of the verify procedure and needs to be fixed. Are you able to investigate a little further as to what the received syntax is and where it is coming from please?
(a trace like the above can be found at debug level 11,2 in your Squid)

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.11


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux