[squid-users] Squid proxy will forward message with 'alternating host header' but logs another?

Mark Bergman xychix2011 at gmail.com
Thu Oct 31 11:48:45 UTC 2019 

reincluded the list for completeness and archiving.

We're building a setup where I want to be able to find domain fronting [
https://en.wikipedia.org/wiki/Domain_fronting] attempts in the logs

used test script:
>
> import requests
> proxies = {'http': 'http://10.0.0.4:8080',}
> headers = {"Host":"someevilhost.appspot.com","Orig-Host":"
> someevilhost.appspot.com"}
> s = requests.Session()
> s.proxies = proxies
> r = s.get('http://www.google.com/',headers=headers)
> print(r.status_code)
> print(r.text[:80])


my loglines keep showing www.google.com in the host header regardless of
how I set my config. Current config (as added in my pfsense setup)

> host_verify_strict on
> strip_query_terms off
> client_dst_passthru off
> logformat combined2 %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st
> "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh "%>h"
> access_log tcp://10.1.2.15:1025 combined2
> #access_log /var/squid/logs/combined2


example log line:

> 10.1.2.15 - - [31/Oct/2019:11:42:53 +0000] "GET http://www.google.com/
> HTTP/1.1" 200 6261 "-" "python-requests/2.9.1" TCP_MISS:HIER_DIRECT
> "User-Agent: python-requests/2.9.1\r\nAccept: */*\r\nConnection:
> keep-alive\r\nAccept-Encoding: gzip, deflate\r\nOrig-Host:
> someevilhost.appspot.com\r\nHost: www.google.com\r\n"


I'm looking for a  way to have Squid log the original request, whatever it
does after that is for this particular test less important (/dev/null or
out to the internet.. both are OK for me as long as 'RFC compliant' traffic
from the webbrowser does get out and logged).

regards,

Mark

On Thu, Oct 31, 2019 at 12:35 PM Mark Bergman <xychix2011 at gmail.com> wrote:

> Ok, so there is no way I can have Squid act as most corporate other
> proxies (just forward the request without manipulation)?
> We are building a setup where we want people to recognise domain fronting
> from logs.
> https://en.wikipedia.org/wiki/Domain_fronting
>
> But as I understand now this technique would never work trough a Squid
> proxy (if SSL inspection is enabled). Wonder then if there never had been
> complaints from signal (messaging app) users as they relied on this
> technology for years :)
> We might have to switch to a less RCF compliant proxy for that.
>
> Any help and suggestions are really appreciated.
>
> Regards,
>
> Mark / xychix
>
>
> On Thu, Oct 31, 2019 at 10:04 AM Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 31/10/19 8:48 pm, Mark Bergman wrote:
>> > Can i stop squid from 'repairing' host headers?
>>
>> Yes.
>>
>> For context:
>>
>> RFC 7230 :
>>
>> "If the target URI includes an authority component, then a
>>    client MUST send a field-value for Host that is identical to that
>>    authority component"
>>
>> "If the target URI includes an authority component, then a
>>    client MUST send a field-value for Host that is identical to that
>>    authority component"
>>
>> "A server MUST respond with a 400 (Bad Request) status code to any
>>    HTTP/1.1 request message that ... contains ... a
>>    Host header field with an invalid field-value."
>>
>>
>> When the host_verify_strict directive is set to "on" then Squid will
>> produce a 4XX status code to any traffic received with invalid Host
>> headers. A Host header that conflicts with info in the URL is always
>> invalid.
>>
>> Amos
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191031/bbe25397/attachment.html>

More information about the squid-users mailing list