Hello,
I'm in the process of implementing an ICAP server, but I'm encountering the
HostHeaderForgery issue quite often when accessing sites that I can reach
over IPv6. I've read the KB entry about this. It lists
that co-locating the NAT device and squid on the same machine,
or enabling EDNS may resolve the issue.
I'm wondering if my issue is specific to dual stack v4/v6
or to ICAP. Any suggestions for what I can try to
work around this issue? If this is specific to
dual stack v4/v6, I'm here to beat my v6 migration
drum and I'm willing to help out to resolve it.
My test environment:
Linux laptop with dual stack ipv4/ipv6
- Fedora rawhide squid (squid-3.2.0.14-6.fc17.x86_64)
- resolve.conf has v4/v6 nameservers listed
- squid in intercept mode on same machine as web browser and icap server
- iptables redirect
iptables -A OUTPUT -p tcp -m owner --uid-owner 23 -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination localhost:3128
- squid config
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
server_persistent_connections on
icap_enable on
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/request
adaptation_access service_req allow all
coredump_dir /var/spool/squid
--
James R. Leu
jleu@xxxxxxxxxxxxxx
Attachment:
pgp7k4vj7rInG.pgp
Description: PGP signature
