[squid-users] TProxy and client_dst_passthru
Amos Jeffries
squid3 at treenet.co.nz
Fri Jul 3 15:25:41 UTC 2015
On 4/07/2015 1:21 a.m., Stakres wrote:
> Amos,
> You told the Squid will check the original dns from the headers, then it'll
> do its own dns resolution to verify they both match.
> So, if no match, Squid does the request to internet based on the dns it
> found.
> If I'm right, that the current way, correct ?
Depends on what you mean by "it found".
ORIGINAL_DST comes from TCP packet headers, which cannot be forged
without the packets going astray. Squid trusts it when in doubt.
Squid own DNS lookup is for the HTTP Host header value. To compare
against the TCP value. Host can be trivially forged. So neither Host nor
the DNS resulting from it can be trusted when in doubt.
>
> What we could do is the same way but as Squid has downloaded the object
> based on its dns records, it means the object is correct, the right one. So,
> keep all details from Squid job and push the object to the cache (if
> cacheable).
When there is doubt about what server is correct there is no "right"
object. Squid relays the request to the place the client would have
reached had the proxy not been intercepting the traffic (ORIGINAL_DST).
Then prevents the unreliable object being given to other clients (cached).
There does seem to be one bug in that Squid will not always HIT on
existing cache content for the requested URL. Any help finding and
fixing that.
>
> user request -> squid checks the dns is ok (corrects it if needed) -> squid
> download the right object and cache.
> user request -> squid checks the dns is ok (corrects it if needed) -> squid
> pushs from its cache.
>
> Again, if Squid requests the right object based on its dns requests, it'll
> deliver to clients the good one.
> So, we should not see ORIGINAL_DST anymore...
Thats the CVE-2009-0801 problem. Whenever the Host header DNS is used
the proxy and all other clients fetching the cached URL from it, are
subject to malicious alterations made to that header.
Thus its only near-trustworthy when the DNS results contain the TCP dst-IP.
We let the request through to the ORIGINAL_DST to reduce penalty on the
client. But caching without the trust is going a bit too far.
Amos
More information about the squid-users
mailing list