reincluded the list for completeness and archiving.
We're building a setup where I want to be able to find domain fronting [https://en.wikipedia.org/wiki/Domain_fronting] attempts in the logs
used test script:
We're building a setup where I want to be able to find domain fronting [https://en.wikipedia.org/wiki/Domain_fronting] attempts in the logs
used test script:
import requests
proxies = {'http': 'http://10.0.0.4:8080',}
headers = {"Host":"someevilhost.appspot.com","Orig-Host":"someevilhost.appspot.com"}
s = requests.Session()
s.proxies = proxies
r = s.get('http://www.google.com/',headers=headers)
print(r.status_code)
print(r.text[:80])
my loglines keep showing www.google.com in the host header regardless of how I set my config. Current config (as added in my pfsense setup)
host_verify_strict on
strip_query_terms off
client_dst_passthru off
logformat combined2 %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh "%>h"
access_log tcp://10.1.2.15:1025 combined2
#access_log /var/squid/logs/combined2
example log line:
10.1.2.15 - - [31/Oct/2019:11:42:53 +0000] "GET http://www.google.com/ HTTP/1.1" 200 6261 "-" "python-requests/2.9.1" TCP_MISS:HIER_DIRECT "User-Agent: python-requests/2.9.1\r\nAccept: */*\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nOrig-Host: someevilhost.appspot.com\r\nHost: www.google.com\r\n"
I'm looking for a way to have Squid log the original request, whatever it does after that is for this particular test less important (/dev/null or out to the internet.. both are OK for me as long as 'RFC compliant' traffic from the webbrowser does get out and logged).
regards,
regards,
Mark
On Thu, Oct 31, 2019 at 12:35 PM Mark Bergman <xychix2011@xxxxxxxxx> wrote:
Ok, so there is no way I can have Squid act as most corporate other proxies (just forward the request without manipulation)?
We are building a setup where we want people to recognise domain fronting from logs.
https://en.wikipedia.org/wiki/Domain_fronting
But as I understand now this technique would never work trough a Squid proxy (if SSL inspection is enabled). Wonder then if there never had been complaints from signal (messaging app) users as they relied on this technology for years :)
We might have to switch to a less RCF compliant proxy for that.Any help and suggestions are really appreciated.
Regards,Mark / xychixOn Thu, Oct 31, 2019 at 10:04 AM Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:On 31/10/19 8:48 pm, Mark Bergman wrote:
> Can i stop squid from 'repairing' host headers?
Yes.
For context:
RFC 7230 :
"If the target URI includes an authority component, then a
client MUST send a field-value for Host that is identical to that
authority component"
"If the target URI includes an authority component, then a
client MUST send a field-value for Host that is identical to that
authority component"
"A server MUST respond with a 400 (Bad Request) status code to any
HTTP/1.1 request message that ... contains ... a
Host header field with an invalid field-value."
When the host_verify_strict directive is set to "on" then Squid will
produce a 4XX status code to any traffic received with invalid Host
headers. A Host header that conflicts with info in the URL is always
invalid.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
