[squid-users] SECURITY ALERT: Host header forgery detected

Martin Hanson greencoppermine at yandex.com
Mon May 14 05:50:45 UTC 2018 

So I finally got the whitelist working, but now every other box on the "localnet", when trying to access the whitelist, gets a:

2018/05/14 07:40:18 kid1| SECURITY ALERT: on URL: www.ubuntu.com:443
2018/05/14 07:40:18 kid1| SECURITY ALERT: Host header forgery detected on local=91.189.89.118:443 remote=192.168.1.4:43354 FD 23 flags=33 (local IP does not match any domain IP)

The config file as before:

<SNIP>
max_filedesc 4096

acl step1 at_step SslBump1

acl localnet src 192.168.1.0/24

# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202

acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .launchpad.net .streamlabs.com .ubuntu.com 

# We don't want these to be cached.
store_miss deny whitelist

# Don't let SquidGuard do anything with the whitelisted domains.
url_rewrite_access deny whitelist

# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# We need this for the whitelist for the windows boxes because
# requests are blocked during SslBump step1 because there is not
# enough information in the fake CONNECT request for ssl::server_name
# to match domains in the whitelist.
http_access allow CONNECT step1

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Windows boxes are only allowed access to the whitelist.
http_access allow windows_boxes whitelist
http_access deny windows_boxes

http_access allow localhost
http_access allow localnet

http_access deny all

# We'll intercept trafic using PF from clan.
http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file

# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1 all
ssl_bump bump all

# We want the query strings as well.
strip_query_terms off

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>

What am I missing now?

Kind regards.

More information about the squid-users mailing list