[squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

YFone Ling lingyphone at gmail.com
Thu Mar 3 20:55:15 UTC 2022 

My application sends  HTTP CONNECT requests to a HTTP proxy port 80, but
gets a squid ERR_CONFLICT_HOST error page.

Is the following code really working as the comments pointed out "ignore
them" since the following if condition is "http->request->method !=
Http::METHOD_CONNECT"
and the rest has been blocked by error page
"repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,"?

Does "ignore them" mean block them?
void
ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
{
// IP address validation for Host: failed. Admin wants to ignore them.
// NP: we do not yet handle CONNECT tunnels well, so ignore for them
if (!Config.onoff.hostStrictVerify && http->request->method !=
Http::METHOD_CONNECT) {
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->
getConn()->clientConnection <<
" (" << A << " does not match " << B << ") on URL: " << http->request->
effectiveRequestUri());


How does the squid get "hostHeaderVerifyFailed" for a normal HTTP CONNECT
request to a HTTP Proxy as simple as below?

CONNECT www.zscaler.com:80 HTTP/1.1
Host: www.zscaler.com:80
User-Agent: Windows Microsoft Windows 10 Enterprise ZTunnel/1.0
Proxy-Connection: keep-alive
Connection: keep-alive


HTTP/1.1 409 Conflict
Server: squid
Mime-Version: 1.0
Date: Tue, 22 Feb 2022 20:59:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 2072
X-Squid-Error: ERR_CONFLICT_HOST 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from 3
Via: 1.1 3 (squid)
Connection: keep-alive


</head><body id=ERR_CONFLICT_HOST>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>


<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a
href="www.zscaler.com:80">www.zscaler.com:80</a></p>
......



Thank you for any help on the understanding!

Paul Ling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20220303/38713c3a/attachment.htm>

More information about the squid-dev mailing list