[squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS

[Amos Jeffries]

On 8/07/2016 5:28 a.m., Moataz Elmasry wrote:
> Sorry, I just realized, I sent you a private email instead of to the
> mailing list. Apologies for that.
> 
> Hi Amos,
> 
> I did some progress today so that least I'm not getting any errors in the
> browser, te url_redirect_program receives the actual url. Redirecting
> normal http urls work fine, but redirecting https urls results in a similar
> error in the logs:
> "
> 2016/07/07 17:19:28| SECURITY ALERT: Host header forgery detected on local=
> 31.13.92.36:443 remote=x.x.x.x:65228 FD 18 flags=33 (local IP does not
> match any domain IP)
> 2016/07/07 17:19:28| SECURITY ALERT: on URL: www.facebook.com:443
> "
> And the browser tab hags (in page loading)

Two subtle details:

 1) that is not an error, it is a security alert. Warning that dire
consequences are likely happening for the client.

 2) this is pretty much an expected outcome from changing where a
CONNECT tunnel is going. Your altered domain is not likely to match the
transport layer details after alteration.

The dire consequences in (1) of course being the undefined behaviour
resulting from "redirecting" a tunnel in (2).


> On Wed, Jul 6, 2016 at 9:30 AM, Amos Jeffries wrote:
> 
>>
>> 2) Most rewriters cannot correctly handle the URI type used on CONNECT
>> tunnels, and more importantly are not able to safely decide where to
>> redirect to even if they could produce the right URI output.
>>
>> So, normal installations should block requests to your re-writer by using
>> the available "CONNECT" ACL like so:
>>  url_rewrite_access deny CONNECT
>>
>> However, if your rewriter is an exception and can actually divert whole
>> tunnels correctly (or knows corectly to return "ERR" and skip re-writing).
>> Then use the method field it receives from Squid to have it decide what to
>> do.
>>

It seems that your redirector is not one of those exceptional ones that
can do this to CONNECT tunnels.

Amos