Hi,
I understand that squid does some security checking that the SNI of an
intercepted/WCCP HTTPS requests matches the reverse DNS of the IP of the
connection. Or something like that.
However with the prevalence of CDNs and badly configured DNSs and geographic
DNSs, this breaks lots of connections (eg, I can't watch the NHL).
I run Squid on a trusted network and use it primarily for caching and
logging, and so I while I need to run WCCP for some non-proxy capable
devices, I don't need that security check.
It stops all of those 409 errors occurring.
Because of that I've created some patches that add a new option
"host_verify_strict_intercepted" which is off by default. They are
for Squid 4.9. As this is disabling a security feature of Squid do
not apply this patch unless you are prepared for any and all consequences.
--- cf.data.pre 2019-12-11 12:56:37.263665000 +1100
+++ cf.data.pre.orig 2019-12-11 11:25:20.708044000 +1100
@@ -2632,15 +2632,6 @@
See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
DOC_END
-NAME: host_verify_strict_intercepted
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.hostStrictVerifyIntercepted
-DOC_START
- To be completed.
-
-DOC_END
-
NAME: host_verify_strict
TYPE: onoff
DEFAULT: off
--- client_side_request.cc 2019-12-11 12:52:04.552556000 +1100
+++ client_side_request.cc.orig 2019-11-06 06:14:40.000000000 +1100
@@ -642,21 +642,16 @@
debugs(85, 3, "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
if (http->request->flags.intercepted || http->request->flags.interceptTproxy) {
- if (Config.onoff.hostStrictVerifyIntercepted) {
- // verify the Host: port (if any) matches the apparent destination
- if (portStr && port != http->getConn()->clientConnection->local.port()) {
- debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() <<
- " matches Host: port " << port << " (" << portStr << ")");
- hostHeaderVerifyFailed("intercepted port", portStr);
- } else {
- // XXX: match the scheme default port against the apparent destination
-
- // verify the destination DNS is one of the Host: headers IPs
- ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
- }
+ // verify the Host: port (if any) matches the apparent destination
+ if (portStr && port != http->getConn()->clientConnection->local.port()) {
+ debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() <<
+ " matches Host: port " << port << " (" << portStr << ")");
+ hostHeaderVerifyFailed("intercepted port", portStr);
} else {
- debugs(85, 3, "validate intercept skipped.");
- http->doCallouts();
+ // XXX: match the scheme default port against the apparent destination
+
+ // verify the destination DNS is one of the Host: headers IPs
+ ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
}
} else if (!Config.onoff.hostStrictVerify) {
debugs(85, 3, "validate skipped.");
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
