On 25.09.18 12:39, Yann Girardin wrote:
We have encountered what we think is a strange behavior of Squid when in interception. We know that it's not a bug but made on purpose, but we question ourself on the why of this choice. We have a firewall that we have configured to redirect all TCP packets with the destination port set to 80 to the squid box. This redirection is made by changing the destination IP to the address of the Squid box and
this is wrong way to do interception and it opens door to a security vulnerability. squid needs to know the destination IP, otherwise it does not know where it has to connect. The Host: header is NOT a reliable info, because it can contain false information. see the vulnerability info: https://nvd.nist.gov/vuln/detail/CVE-2009-0801 https://www.kb.cert.org/vuls/id/435052
destination port to 8080. On the box, we set up Squid to listen to port 9090 in interception mode. Moreover, we use some DNAT rules to redirect the traffic from port 8080 to port 9090. Yes, we know that we shouldn't do that, but "we" includes some third parties.
the proper way to do interception is to forward packets do squid host without changing the destination I https://wiki.squid-cache.org/SquidFaq/InterceptionProxy -- Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
