[squid-users] Squid returns 400 to GET / HTTP/1.1 with Host Header
Amos Jeffries
squid3 at treenet.co.nz
Mon Apr 23 16:58:46 UTC 2018
On 24/04/18 04:03, Stephen Nelson-Smith wrote:
> Hi,
>
> On Mon, Apr 23, 2018 at 4:48 PM, Stephen Nelson-Smith wrote:
>
>> Adding that functionality would be an option,
I think that is worth asking Mark Nottingham about adding that
functionality.
>> but am I right in
>> thinking squid should be able to infer the destination from the host
>> header?
No, that is rather dangerous. The CVE-2009-0801 and related nest of
vulnerabilities are opened up if Host header is trusted by a proxy.
>>
>> Just looking at the documentation for http_port, would adding
>> 'intercept' help, or is that explicitly for interception caching in
>> conjunction with a traffic filter?
>
> Adding `intercept` to `http_port` has resulted in the host header
> appearing as the URL in the request.
>
> Squid is now giving a 403... which it shouldn't... I think:
>
> 1524498993.558 0 10.8.0.33 TCP_MISS/403 3985 GET
> http://www.openstreetmap.com/ - HIER_NONE/- text/html
> 1524498993.559 0 10.8.2.19 TCP_MISS/403 4077 GET
> http://www.openstreetmap.com/ - ORIGINAL_DST/10.8.0.33 text/html
>
That is the CVE-2009-0801 protections doing their thing for intercept'ed
traffic (second log line). The 10.8.0.33 IP is where the client was
apparently going before MITM'd into the proxy, so the server there MUST
be able to handle whatever the client is expecting back regardless of
whether the proxy trusts it for caching purposes.
But 10.8.0.33 is your Squid, so the traffic loops (first log line).
Squid detects the loop and rejects it to prevent infinite memory and TCP
port numbers being consumed.
Amos
More information about the squid-users
mailing list