[squid-users] squid interception
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Sep 25 11:12:27 UTC 2018
On 25.09.18 12:39, Yann Girardin wrote:
> We have encountered what we think is a strange behavior of Squid when in
> interception. We know that it's not a bug but made on purpose, but we
> question ourself on the why of this choice.
>
> We have a firewall that we have configured to redirect all TCP packets
> with the destination port set to 80 to the squid box. This redirection is
> made by changing the destination IP to the address of the Squid box and
this is wrong way to do interception and it opens door to a security
vulnerability.
squid needs to know the destination IP, otherwise it does not know where it
has to connect.
The Host: header is NOT a reliable info, because it can contain false
information. see the vulnerability info:
https://nvd.nist.gov/vuln/detail/CVE-2009-0801
https://www.kb.cert.org/vuls/id/435052
> destination port to 8080. On the box, we set up Squid to listen to port
> 9090 in interception mode. Moreover, we use some DNAT rules to redirect
> the traffic from port 8080 to port 9090. Yes, we know that we shouldn't
> do that, but "we" includes some third parties.
the proper way to do interception is to forward packets do squid host
without changing the destination I
https://wiki.squid-cache.org/SquidFaq/InterceptionProxy
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
More information about the squid-users
mailing list