On 13/12/2011 8:48 p.m., Saleh Madi wrote:
Thanks Amos for your good work, from squid-3.2.0.13 and squid-3.2.0.14 version we facing a big problem with SECURITY ALERT: By user agent and SECURITY ALERT: on URL the squid box and the clients using the same DNS servers, what mean flags=33 and flags=17 in the cache log file and how I can disable the SECURITY ALERT. squid config http_port 192.168.95.20:3129 transparent iptables: iptables -t nat -A WEBPROXY -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3129 cache.log 2011/12/13 09:23:48.529 kid1| SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 2011/12/13 09:23:48.529 kid1| SECURITY ALERT: on URL: http://www.facebook.com/ajax/chat/send.php?__a=1
This is additional two lines of data about the Host forgery alert.
2011/12/13 09:23:48.597 kid1| SECURITY ALERT: Host header forgery detected on local=66.220.147.33:80 remote=10.0.2.45:37086 FD 270 flags=33 (l ocal IP does not match any domain IP) 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: By user agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: on URL: http://www.facebook.com/ajax/chat/user_info.php?__a=1&ids[0]=1521437876&__user=100000212 560683
Squid has resolved the domain name (www.facebook.com) the client (10.0.2.45) was supposedly contacting and determined that the IP (66.220.147.33) the packet was going to does not belong to that domain name.
Details about the alert and some things which can be done about it when it appears are at http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
Amos
