On 13/09/11 18:54, Jeff Chua wrote:
Amos,
Latest squid is prevent connection to my known servers without local
domain name. The version prior to June 15 allow connecting to URLs
without the fully qualified domain names as in "moose" instead of
"moose.xxx.com"
The latest squid is throw the follwing error:
2011/09/13 09:17:53.420 kid1| SECURITY ALERT: Host header forgery detected
on local=192.168.243.1:8080 remote=192.168.243.1:59291 FD 11 flags=1
(moose does not match moose.xxx.com)
Here's a patch to get around the problem. By specifying "append_domain
.xxx.com", squid should allows host that matches the domain part. This is
useful for get back the old behavior so I don't need to type the full
URLs for many sites at work I'm dealing with.
Thank you for reporting this.
The header forgery detection of regular proxy traffic only that the
URL domain name matches the Host: header content. Some RFC mandated
leniency permits the protocol default port to be optional on top of this.
Domain names with no dots are legitimate public FQDN. The URL is
expected to contain the abbreviated hostname and the Host: header also
contain that abbreviated name. Such that both match and pass under
exactly the same criteria as any other traffic.
For example, these requests are regular traffic through my test Squid:
2011/09/13 20:07:43.843| HTTP Client REQUEST:
---------
GET http://troja/ HTTP/1.1
Host: troja
User-Agent: Mozilla/5.0 (X11; Linux i686) <snip>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip
Accept-Language: en-nz, en;q=0.90
----------
Squid applied append_domain only later in the processing.
If your client agent is requesting a mixture of no-dots and dotted
domain names something is broken outside of the verify procedure and
needs to be fixed. Are you able to investigate a little further as to
what the received syntax is and where it is coming from please?
(a trace like the above can be found at debug level 11,2 in your Squid)
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.15
Beta testers wanted for 3.2.0.11
