On 24/04/18 04:03, Stephen Nelson-Smith wrote: > Hi, > > On Mon, Apr 23, 2018 at 4:48 PM, Stephen Nelson-Smith wrote: > >> Adding that functionality would be an option, I think that is worth asking Mark Nottingham about adding that functionality. >> but am I right in >> thinking squid should be able to infer the destination from the host >> header? No, that is rather dangerous. The CVE-2009-0801 and related nest of vulnerabilities are opened up if Host header is trusted by a proxy. >> >> Just looking at the documentation for http_port, would adding >> 'intercept' help, or is that explicitly for interception caching in >> conjunction with a traffic filter? > > Adding `intercept` to `http_port` has resulted in the host header > appearing as the URL in the request. > > Squid is now giving a 403... which it shouldn't... I think: > > 1524498993.558 0 10.8.0.33 TCP_MISS/403 3985 GET > http://www.openstreetmap.com/ - HIER_NONE/- text/html > 1524498993.559 0 10.8.2.19 TCP_MISS/403 4077 GET > http://www.openstreetmap.com/ - ORIGINAL_DST/10.8.0.33 text/html > That is the CVE-2009-0801 protections doing their thing for intercept'ed traffic (second log line). The 10.8.0.33 IP is where the client was apparently going before MITM'd into the proxy, so the server there MUST be able to handle whatever the client is expecting back regardless of whether the proxy trusts it for caching purposes. But 10.8.0.33 is your Squid, so the traffic loops (first log line). Squid detects the loop and rejects it to prevent infinite memory and TCP port numbers being consumed. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
