-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I think, to eliminate this error you need to splice all torify connections. I.e., you need to configure your squid something like this: # SSL bump rules acl step1 at_step SslBump1 ssl_bump peek step1 acl Splice ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump" acl Splice ssl::server_name_regex -i "/usr/local/squid/etc/url.tor" ssl_bump splice Splice ssl_bump bump net_bump # Privoxy+Tor access rules never_direct allow tor_url and, following, url.nobump and url.tor is partially equal. 28.12.15 4:13, Jason Haar пишет: > Hi there > > I use TOR a bit for testing our WAFs and found that it no longer worked > on my test network that has squid configured in TLS intercept mode. I > currently have squid configured to "splice only" (with peek to get the > SNI name) - ie no bumping - purely so that the squid access_log file > contains better records on HTTPS hostnames > > 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: Host header forgery > detected on local=194.109.206.212:443 remote=192.168.0.21:40427 FD 30 > flags=33 (local IP does not match any domain IP) > 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: By user agent: > 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: on URL: www.z2b4e372r4.com:443 > > Removing the redirect of tcp/443 totally fixes the problem. > > Anyway, it would appear that squid-3.5.10 in splice-only mode still > enables the "Host header forgery" check? Surely if all you are doing is > splice-only, it shouldn't be doing that check at all? ie I could > understand triggering blocking actions if squid was part of the > transaction in bump-mode - but when it's "only looking", it is exactly > the same as not doing splice at all - so why trigger the Host header check? > > It does look like TOR has something equivalent to a /etc/host file with > fake DNS names - so it's quite understandable that freaks squid out. > Actually, if squid cannot resolve a SNI hostname, shouldn't that skip > the Host name check? > > Also, this isn't that easy to test: it would appear that once I turned > off intercept and successfully used TOR, it must have cached a bunch of > things because I then re-enabled intercept and it's no longer making any > tcp/443 connections - it goes straight out on other "native" TOR ports. > So it may be this can only be tested on a fresh install (or after some > cache timeout period) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWgGs5AAoJENNXIZxhPexGCPIH/1lAsDZWAzLJ7EbL1XRWXYKq G3S3lOY68jQFRKjbrrHnFtlqltVniqLme25llD/LubgX7Qocz/bLH39LuBr9SBuJ a1Nk9G8TW+98JIx4kAPL82NoRkkgtyNFhVocZ2vpJqN0YWdgu+lqTzQzf9NQmWCX E8V94iuaHwXi2YLfdd61ora/Arw/9TJ2D2uNs4iKtk1t3ays9XBgM8Ga3rP2J/Us 8NTzQXoxmkHXTqlh9wdqmbNgjc3ReORsNNoSsoAgxkSFPAQuMndH/VS87RnJDQUr EvAxw2x+sfn/gnyvUz254G8QukElcvyJFa07J6G1pxcQjB1AXKiijsU2xNcDkmg= =GNYM -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
