Search squid archive

Re: Squid 3.2.0.14 beta is available

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 14/12/2011 10:02 p.m., Saleh Madi wrote:
Dears all,

The "www.facebook.com" not work in the TPROXY mode because the problem of
the  "Host header forgery detected", the TPROXY is nice feature and we
needed  it for the spoofing the client IP address. I think the squid
developers need to Think about this problem,  I hope we can fix this
problem.

Spent two years thinking about this implementation. What we have today is down to these cases:

* client A sends packet requesting http://example.com/ to machine IP a.b.c.d
 * packet gets intercepted into Squid instead
* example.com DNS lookup informs Squid example.com has IP address e.f.g.h (and no others) * Squid alerts: local IP (a.b.c.d) does not match (exist in) the domain IPs (e.f.g.h)

* client B sends packet requesting http://example.com/ to machine IP w.x.y.z
 * packet gets intercepted into Squid instead
* example.com DNS lookup informs Squid example.com has IP address e.f.g.h (and no others) * Squid alerts: local IP (w.x.y.z) does not match (exist in) the domain IPs (e.f.g.h)

* client C sends packet requesting http://example.com/ to machine IP e.f.g.h
 * packet gets intercepted into Squid instead
* example.com DNS lookup informs Squid example.com has IP address e.f.g.h (and no others)
 * Squid relays the request out to e.f.g.h

HTTP header for all three requests is exactly identical. Only the packet IPs change.


Problem #1: Is client A or B both hijackers? or is one of them friendly?
* lookup "cross-site scripting" (XSS) and the side effects.

Problem #2: Is the machine at a.b.c.d or at w.x.y.z going to return the correct data or something dangerous?
 * lookup "cache poisoning" and the side effects.

If anyone can produce code to answer those questions accurately they will have solved your alert. I am hoping one day to allowing the request/reply to go through as a private transaction for that one client without affecting any existing cached content. That would limit the infection damage to only that client. But requires changes to the storage which are not yet done in the 3.2 series.

Meanwhile ensure the recursive DNS resolvers used by your intercepted clients are the one(s) used by the Squid intercepting proxy.

I have checked all the websites you mention. They all have fixed DNS IP results with answers based on the IP of the resolver being used to find them. This means that if your clients and Squid used the same recursive DNS resolver(s) they would get the same answers and Squid would not alert.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux