[squid-users] Host header forgery affects pure splice environment too?
yvoinov at gmail.com
Sun Dec 27 22:50:33 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
I think, to eliminate this error you need to splice all torify connections.
I.e., you need to configure your squid something like this:
# SSL bump rules
acl step1 at_step SslBump1
ssl_bump peek step1
acl Splice ssl::server_name_regex -i "/usr/local/squid/etc/url.nobump"
acl Splice ssl::server_name_regex -i "/usr/local/squid/etc/url.tor"
ssl_bump splice Splice
ssl_bump bump net_bump
# Privoxy+Tor access rules
never_direct allow tor_url
and, following, url.nobump and url.tor is partially equal.
28.12.15 4:13, Jason Haar пишет:
> Hi there
> I use TOR a bit for testing our WAFs and found that it no longer worked
> on my test network that has squid configured in TLS intercept mode. I
> currently have squid configured to "splice only" (with peek to get the
> SNI name) - ie no bumping - purely so that the squid access_log file
> contains better records on HTTPS hostnames
> 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: Host header forgery
> detected on local=126.96.36.199:443 remote=192.168.0.21:40427 FD 30
> flags=33 (local IP does not match any domain IP)
> 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: By user agent:
> 2015/12/28 09:22:04.189 kid1| SECURITY ALERT: on URL:
> Removing the redirect of tcp/443 totally fixes the problem.
> Anyway, it would appear that squid-3.5.10 in splice-only mode still
> enables the "Host header forgery" check? Surely if all you are doing is
> splice-only, it shouldn't be doing that check at all? ie I could
> understand triggering blocking actions if squid was part of the
> transaction in bump-mode - but when it's "only looking", it is exactly
> the same as not doing splice at all - so why trigger the Host header
> It does look like TOR has something equivalent to a /etc/host file with
> fake DNS names - so it's quite understandable that freaks squid out.
> Actually, if squid cannot resolve a SNI hostname, shouldn't that skip
> the Host name check?
> Also, this isn't that easy to test: it would appear that once I turned
> off intercept and successfully used TOR, it must have cached a bunch of
> things because I then re-enabled intercept and it's no longer making any
> tcp/443 connections - it goes straight out on other "native" TOR ports.
> So it may be this can only be tested on a fresh install (or after some
> cache timeout period)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the squid-users