[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9
squid3 at treenet.co.nz
Thu Oct 8 08:48:15 UTC 2015
On 8/10/2015 6:41 p.m., Dan Charlesworth wrote:
> Same here—I've been meaning to ask the list about this too. I’m still on 3.5.9, by the way.
>> On 6 Oct 2015, at 10:55 PM, Roel van Meer wrote:
>> Hi everyone,
>> I have a Squid setup on a linux box with transparent interception of both http and https traffic. Everything worked fine with Squid 3.5.6. After upgrading to version 3.5.10, I get many warnings about host header forgery:
>> SECURITY ALERT: Host header forgery detected on local=188.8.131.52:443 remote=192.168.9.126:52588 FD 22 flags=33 (local IP does not match any domain IP)
>> SECURITY ALERT: By user agent:
>> SECURITY ALERT: on URL: nexus.officeapps.live.com:443
>> These warnings all seem to occur for https web sites that use multiple DNS records. The warnings coincide with the fact that the clients are unable to get the requested page.
>> I've read the wiki page http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>> and I can assert that:
>> - we do NAT on the same box that is running Squid
>> - both squid and the clients use the same DNS server
>> I've also tested 3.5.9, and this version also showed these warnings.
>> Version 3.5.7 worked fine, and 3.5.8 did too.
>> So, one of the changes in 3.5.9 caused this behaviour.
>> Can anyone shed some more light on this? Is this a problem in my setup that surfaced with 3.5.9, or is it a problem in Squid?
I suspect this is coming from the CONNECT requests Squid generates now
using the SNI value for the Host: header and authority instead of
raw-IP. That is supported by the absence of user-agent details in the
alert. With just raw-IP the host validation is not able to be done. Now
If so these new warnings are just exposing cases of SNI abuse. In other
words it is catching the TLS version of CVE-2009-0801.
I see that the Office 365 is hosted by Akamai. Which is one of the CDN
already known to do DNS tricks that lead to Host header problems.
More information about the squid-users