[squid-users] A patch for intercepted/WCCP HTTPS and 409 errors

Wed Dec 11 07:51:43 UTC 2019

Hi,

I understand that squid does some security checking that the SNI of an 
intercepted/WCCP HTTPS requests matches the reverse DNS of the IP of the 
connection.  Or something like that.

However with the prevalence of CDNs and badly configured DNSs and geographic 
DNSs, this breaks lots of connections (eg, I can't watch the NHL).

I run Squid on a trusted network and use it primarily for caching and 
logging, and so I while I need to run WCCP for some non-proxy capable 
devices, I don't need that security check.

It stops all of those 409 errors occurring.

Because of that I've created some patches that add a new option
"host_verify_strict_intercepted" which is off by default.  They are
for Squid 4.9.  As this is disabling a security feature of Squid do
not apply this patch unless you are prepared for any and all consequences.

--- cf.data.pre 2019-12-11 12:56:37.263665000 +1100
+++ cf.data.pre.orig    2019-12-11 11:25:20.708044000 +1100
@@ -2632,15 +2632,6 @@
        See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
 DOC_END

-NAME: host_verify_strict_intercepted
-TYPE: onoff
-DEFAULT: on
-LOC: Config.onoff.hostStrictVerifyIntercepted
-DOC_START
-       To be completed.
-
-DOC_END
-
 NAME: host_verify_strict
 TYPE: onoff
 DEFAULT: off

--- client_side_request.cc      2019-12-11 12:52:04.552556000 +1100
+++ client_side_request.cc.orig 2019-11-06 06:14:40.000000000 +1100
@@ -642,21 +642,16 @@

     debugs(85, 3, "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL"));
     if (http->request->flags.intercepted || http->request->flags.interceptTproxy) {
-        if (Config.onoff.hostStrictVerifyIntercepted) {
-            // verify the Host: port (if any) matches the apparent destination
-            if (portStr && port != http->getConn()->clientConnection->local.port()) {
-                debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() <<
-                       " matches Host: port " << port << " (" << portStr << ")");
-                hostHeaderVerifyFailed("intercepted port", portStr);
-            } else {
-                // XXX: match the scheme default port against the apparent destination
-
-                // verify the destination DNS is one of the Host: headers IPs
-                ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
-            }
+        // verify the Host: port (if any) matches the apparent destination
+        if (portStr && port != http->getConn()->clientConnection->local.port()) {
+            debugs(85, 3, "FAIL on validate port " << http->getConn()->clientConnection->local.port() <<
+                   " matches Host: port " << port << " (" << portStr << ")");
+            hostHeaderVerifyFailed("intercepted port", portStr);
         } else {
-            debugs(85, 3, "validate intercept skipped.");
-            http->doCallouts();
+            // XXX: match the scheme default port against the apparent destination
+
+            // verify the destination DNS is one of the Host: headers IPs
+            ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this);
         }
     } else if (!Config.onoff.hostStrictVerify) {
         debugs(85, 3, "validate skipped.");

