Search squid archive

Re: Response Blocked from sites with multiple IPs (Host Header Forgery)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Title: RE: Response Blocked from sites with multiple IPs (Host Header Forgery)

Hey,

There are couple basic missing parts about the setup.

-       What OS are you using?

-       How do you Intercept the connections? Tproxy? Intercept?

-       Do the client use the same DNS server as the proxy server?

-       Are you using some kind of local caching service? Such as Bind\Unbound\PowerDNS\else?

-       Is it a self compiled version of squid or from a package?

All the above can affect the way we can help you.

Eliezer

----

Eliezer Croitoru

Linux System Administrator

Mobile: +972-5-28704261

Email: eliezer@xxxxxxxxxxxx

-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Eng Hooda
Sent: Thursday, June 9, 2016 9:09 PM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Response Blocked from sites with multiple IPs (Host Header Forgery)

Hello Squid Users,

I have just started using squid less than a week ago .

My setup is a transparent proxy with sslbump , I peek for media streaming sites then terminate their connections then I splice all.

I noticed that some https sites (not all of the time) , does not respond , when Investigated I found the following in cache.log :

3105 2016/06/09 12:45:40.630 kid1| SECURITY ALERT: on URL: mail.live.com:443

3106 2016/06/09 12:45:40.631 kid1| SECURITY ALERT: Host header forgery detected on local=157.55.43.16:443 remote=10.3.1.80:58328 FD 94 flags=33 (local IP does not match any domain IP)

3330 2016/06/09 13:26:26.676 kid1| SECURITY ALERT: on URL: mail.live.com:443

3331 2016/06/09 13:26:26.676 kid1| SECURITY ALERT: Host header forgery detected on local=157.56.122.210:443 remote=10.3.1.80:58414 FD 141 flags=33 (local IP does not match any domain IP)

3530 2016/06/09 13:49:49.481 kid1| SECURITY ALERT: on URL: mail.live.com:443

3531 2016/06/09 13:49:49.481 kid1| SECURITY ALERT: Host header forgery detected on local=157.55.43.17:443 remote=10.3.1.80:58616 FD 119 flags=33 (local IP does not match any domain IP)

I searched for a solution which lead me to (1st result)  : 

http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

I read it and it seems to be a dead end .

What I understood that client requested page from a certain IP , reply came from another IP then it's blocked for security reasons.

Well I tried to nslookup the mentioned IPs , and all of them are sub domains of mail.live.com nslookup 157.55.43.16

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Name:    origin.du111w.dub111.mail.live.com

Address:  157.55.43.16

nslookup 157.56.122.210

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Name:    origin.du125w.dub125.mail.live.com

Address:  157.56.122.210

nslookup 157.55.43.17

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Name:    origin.du112w.dub112.mail.live.com

Address:  157.55.43.17

also tried to nslookup mail.live.com , and every time I get different IPs

nslookup mail.live.com

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    dispatch.kahuna.glbdns2.microsoft.com

Addresses:  157.56.195.156

157.55.235.51

Aliases:  mail.live.com

nslookup mail.live.com

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    dispatch.kahuna.glbdns2.microsoft.com

Addresses:  157.55.235.49

157.56.122.210

Aliases:  mail.live.com

nslookup mail.live.com

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    dispatch.kahuna.glbdns2.microsoft.com

Addresses:  157.55.43.16

157.55.43.17

Aliases:  mail.live.com

nslookup mail.live.com

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    dispatch.kahuna.glbdns2.microsoft.com

Addresses:  157.55.235.51

157.56.122.208

Aliases:  mail.live.com

nslookup mail.live.com

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    dispatch.kahuna.glbdns2.microsoft.com

Addresses:  157.55.235.51

157.56.122.208

Aliases:  mail.live.com

nslookup mail.live.com

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    dispatch.kahuna.glbdns2.microsoft.com

Addresses:  157.55.235.48

157.55.235.49

Aliases:  mail.live.com

nslookup mail.live.com

Server:  google-public-dns-a.google.com

Address:  8.8.8.8

Non-authoritative answer:

Name:    dispatch.kahuna.glbdns2.microsoft.com

Addresses:  157.55.235.49

157.56.122.210

Aliases:  mail.live.com

So can't squid learn that big sites have a lot of IPs mapped as sub-domains of it , and they may reply from any of them ?

Or just provide an option to disable this problematic security feature ?

or Am I missing something here ?

Thanks You all in advance.

Best Regards,

Eng Hooda

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux