[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Roel van Meer roel at 1afa.com
Tue Oct 6 11:55:33 UTC 2015


Hi everyone,

I have a Squid setup on a linux box with transparent interception of both  
http and https traffic. Everything worked fine with Squid 3.5.6. After  
upgrading to version 3.5.10, I get many warnings about host header forgery:

  SECURITY ALERT: Host header forgery detected on local=104.46.50.125:443 remote=192.168.9.126:52588 FD 22 flags=33 (local IP does not match any domain IP)
  SECURITY ALERT: By user agent:
  SECURITY ALERT: on URL: nexus.officeapps.live.com:443

These warnings all seem to occur for https web sites that use multiple DNS  
records. The warnings coincide with the fact that the clients are unable to  
get the requested page.

I've read the wiki page http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
and I can assert that:
- we do NAT on the same box that is running Squid
- both squid and the clients use the same DNS server

I've also tested 3.5.9, and this version also showed these warnings.
Version 3.5.7 worked fine, and 3.5.8 did too.

So, one of the changes in 3.5.9 caused this behaviour.

Can anyone shed some more light on this? Is this a problem in my setup that  
surfaced with 3.5.9, or is it a problem in Squid?

Thanks a lot for any help,

Roel


My (abbreviated) config:

http_port 192.168.9.1:3128 ssl-bump cert=/etc/ssl/certs/server.pem
http_port 192.168.9.1:3129 intercept
https_port 192.168.9.1:3130 intercept ssl-bump cert=/etc/ssl/certs/server.pem
icp_port 0

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

acl port-direct myportname 192.168.9.1:3128
ssl_bump none port-direct
acl port-trans_https myportname 192.168.9.1:3130
external_acl_type sni children-max=3 children-startup=1 %URI %SRC %METHOD %ssl::>sni /usr/bin/squidGuard-aclsni
acl checksni external sni

ssl_bump peek port-trans_https step1
ssl_bump terminate port-trans_https step2 checksni
ssl_bump splice port-trans_https all

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER





More information about the squid-users mailing list