Search squid archive

Host header forgery detected after upgrade from 3.5.8 to 3.5.9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi everyone,

I have a Squid setup on a linux box with transparent interception of both http and https traffic. Everything worked fine with Squid 3.5.6. After upgrading to version 3.5.10, I get many warnings about host header forgery:

 SECURITY ALERT: Host header forgery detected on local=104.46.50.125:443 remote=192.168.9.126:52588 FD 22 flags=33 (local IP does not match any domain IP)
 SECURITY ALERT: By user agent:
 SECURITY ALERT: on URL: nexus.officeapps.live.com:443

These warnings all seem to occur for https web sites that use multiple DNS records. The warnings coincide with the fact that the clients are unable to get the requested page.

I've read the wiki page http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
and I can assert that:
- we do NAT on the same box that is running Squid
- both squid and the clients use the same DNS server

I've also tested 3.5.9, and this version also showed these warnings.
Version 3.5.7 worked fine, and 3.5.8 did too.

So, one of the changes in 3.5.9 caused this behaviour.

Can anyone shed some more light on this? Is this a problem in my setup that surfaced with 3.5.9, or is it a problem in Squid?

Thanks a lot for any help,

Roel


My (abbreviated) config:

http_port 192.168.9.1:3128 ssl-bump cert=/etc/ssl/certs/server.pem
http_port 192.168.9.1:3129 intercept
https_port 192.168.9.1:3130 intercept ssl-bump cert=/etc/ssl/certs/server.pem
icp_port 0

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl port-direct myportname 192.168.9.1:3128
ssl_bump none port-direct
acl port-trans_https myportname 192.168.9.1:3130
external_acl_type sni children-max=3 children-startup=1 %URI %SRC %METHOD %ssl::>sni /usr/bin/squidGuard-aclsni
acl checksni external sni

ssl_bump peek port-trans_https step1
ssl_bump terminate port-trans_https step2 checksni
ssl_bump splice port-trans_https all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux