[squid-users] SECURITY ALARM, once more
squid3 at treenet.co.nz
Tue Jun 21 10:43:46 UTC 2016
On 21/06/2016 9:44 p.m., reinerotto wrote:
>> stay in sync
> naturally 90-something percent of the time. <
> I have a local dnsmasq running. squid and all clients synced to it.
> But the last 10% seem to cause the SECURITY ALERT.
> 2016/06/21 12:17:51.672 kid1| SECURITY ALERT: Host header forgery detected
> on local=nn.nnn.nnn.nnn:443 remote=10.1.0.126:62222 FD 199 flags=33 (local
> IP does not match any domain IP)
> 2016/06/21 12:17:51.672 kid1| SECURITY ALERT: on URL: ib.adnxs.com:443
> In case, this messages shows up, is the connection terminated ?
The request continues to be handled same as any other. Except that it is
not cached and only allowed to go upstream to the same destination IP
address the client was trying to use (ORIGINAL_DST).
I'm not completely sure what happens to the SSL-Bump fake CONNECT
requests when the SNI value causes the alert. The fake request has the
above settings flagged, but the SSL-Bump logic may or may not follow
through for the decrypted requests. Those sub-requests should have the
validation check applied separately for their particular Host's anyway,
so maybe different results at that point.
More information about the squid-users