Re: SECURITY ALERT generated by squid in events

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On Sun, 27 Nov 2011 23:36:23 +0100, David Touzeau wrote:
> Dear
>
> I have this squid version :
>
> Squid Cache: Version 3.2.0.13-20111125-r11436
> configure options:  '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/var'
> '--libexecdir=/lib/squid3' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--srcdir=.'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--enable-gnuregex' '--enable-forward-log'
> '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> '--enable-http-violations' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap' '--enable-err-languages=English'
> '--enable-default-err-language=English' '--with-maxfd=32000'
> '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> '--enable-esi' '--enable-storeio=aufs,diskd,ufs,rock'
> '--with-aufs-threads=10' '--with-maxfd=16384'
> '--enable-x-accelerator-vary' '--with-dl' '--enable-truncate'
> '--enable-linux-netfilter' '--with-filedescriptors=16384'
> '--enable-wccpv2' '--enable-eui' '--enable-auth' 
> '--enable-auth-basic'
> '--enable-auth-digest' '--enable-auth-negotiate-helpers'
> '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers'
> '--enable-auth-ntlm' '--with-default-user=squid' 
> '--enable-icap-client'
> '--enable-cache-digests' '--enable-icap-support' '--enable-poll'
> '--enable-epoll' '--enable-async-io' '--enable-delay-pools'
> 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops
> -ffast-math -fno-exceptions'
>
> I cannot browse trough Internet and receive many errors in syslog :
>
> Nov 27 23:32:57 gibrat squid[15355]: SECURITY ALERT: By user agent:
> Opera/9.80 (X11; Linux i686; U; fr) Presto/2.9.168 Version/11.52
> Nov 27 23:32:57 gibrat squid[15355]: SECURITY ALERT: on URL:
> http://192.168.1.1:49152/rootDesc.xml
> Nov 27 23:32:59 gibrat squid[15355]: SECURITY ALERT: By user agent:
> Opera/9.80 (X11; Linux i686; U; fr) Presto/2.9.168 Version/11.52
> Nov 27 23:32:59 gibrat squid[15355]: SECURITY ALERT: on URL:
> http://clients1.google.com/complete/search?q=no-ip&client=opera&hl=fr
>
> Is it normal ??

These are the 2nd and 3rd lines of a "Host: header forgery" alert. The 
first line explains what is being detected as wrong, these are the 
supporting data to help track it down.

Having just read your config details in the other thread, I expect this 
is caused by a combination of your incomplete iptables NAT intercept 
rules, and testing by configuring the browser to use the proxy NAT port 
directly. That type of setup is dangerous and can expect this rejection 
in 3.2.

Amos