[squid-users] Host header forgery affects pure splice environment too?

Yuri Voinov yvoinov at gmail.com
Sun Dec 27 22:50:33 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
I think, to eliminate this error you need to splice all torify connections.

I.e., you need to configure your squid something like this:

# SSL bump rules
acl step1 at_step SslBump1
ssl_bump peek step1
acl Splice ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump"
acl Splice ssl::server_name_regex -i "/usr/local/squid/etc/url.tor"
ssl_bump splice Splice
ssl_bump bump net_bump

# Privoxy+Tor access rules
never_direct allow tor_url

and, following, url.nobump and url.tor is partially equal.

28.12.15 4:13, Jason Haar пишет:
> Hi there
>
> I use TOR a bit for testing our WAFs and found that it no longer worked
> on my test network that has squid configured in TLS intercept mode. I
> currently have squid configured to "splice only" (with peek to get the
> SNI name) - ie no bumping - purely so that the squid access_log file
> contains better records on HTTPS hostnames
>
> 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: Host header forgery
> detected on local=194.109.206.212:443 remote=192.168.0.21:40427 FD 30
> flags=33 (local IP does not match any domain IP)
> 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: By user agent:
> 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: on URL:
www.z2b4e372r4.com:443
>
> Removing the redirect of tcp/443 totally fixes the problem.
>
> Anyway, it would appear that squid-3.5.10 in splice-only mode still
> enables the "Host header forgery" check? Surely if all you are doing is
> splice-only, it shouldn't be doing that check at all? ie I could
> understand triggering blocking actions if squid was part of the
> transaction in bump-mode - but when it's "only looking", it is exactly
> the same as not doing splice at all - so why trigger the Host header
check?
>
> It does look like TOR has something equivalent to a /etc/host file with
> fake DNS names - so it's quite understandable that freaks squid out.
> Actually, if squid cannot resolve a SNI hostname, shouldn't that skip
> the Host name check?
>
> Also, this isn't that easy to test: it would appear that once I turned
> off intercept and successfully used TOR, it must have cached a bunch of
> things because I then re-enabled intercept and it's no longer making any
> tcp/443 connections - it goes straight out on other "native" TOR ports.
> So it may be this can only be tested on a fresh install (or after some
> cache timeout period)
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJWgGs5AAoJENNXIZxhPexGCPIH/1lAsDZWAzLJ7EbL1XRWXYKq
G3S3lOY68jQFRKjbrrHnFtlqltVniqLme25llD/LubgX7Qocz/bLH39LuBr9SBuJ
a1Nk9G8TW+98JIx4kAPL82NoRkkgtyNFhVocZ2vpJqN0YWdgu+lqTzQzf9NQmWCX
E8V94iuaHwXi2YLfdd61ora/Arw/9TJ2D2uNs4iKtk1t3ays9XBgM8Ga3rP2J/Us
8NTzQXoxmkHXTqlh9wdqmbNgjc3ReORsNNoSsoAgxkSFPAQuMndH/VS87RnJDQUr
EvAxw2x+sfn/gnyvUz254G8QukElcvyJFa07J6G1pxcQjB1AXKiijsU2xNcDkmg=
=GNYM
-----END PGP SIGNATURE-----

More information about the squid-users mailing list