<p dir="ltr">I understand, buggy I really need to take out this sniproxy in favor of squid.</p>
<p dir="ltr">I'm planning that this path needs the HTTP violation flag on compile time, and by default value is off. So when turning on, it won't be an accident.<br>
Host_verify_header would be a good name for this on/off option<br>
</p>
<div class="gmail_quote">Le 24 mars 2016 4:05 AM, "Amos Jeffries" <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> a écrit :<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 24/03/2016 3:56 p.m., Luis Daniel Lucio Quiroz wrote:<br>
> As A side note, I am reading the code seems file<br>
> src/client_side_request.cc function<br>
> ClientRequestContext::hostHeaderVerify() is responsible for this.<br>
><br>
> And to be exact this option:<br>
> if (ia != NULL && ia->count > 0) {<br>
> // Is the NAT destination IP in DNS?<br>
> for (int i = 0; i < ia->count; ++i) {<br>
> if (clientConn->local.matchIPAddr(ia->in_addrs[i]) == 0) {<br>
> debugs(85, 3, HERE << "validate IP " << clientConn->local <<<br>
> " possible from Host:");<br>
> http->request->flags.hostVerified = true;<br>
> http->doCallouts();<br>
> return;<br>
> }<br>
> debugs(85, 3, HERE << "validate IP " << clientConn->local << "<br>
> non-match from Host: IP " << ia->in_addrs[i]);<br>
> }<br>
> }<br>
> debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << "<br>
> possible from Host:");<br>
> hostHeaderVerifyFailed("local IP", "any domain IP");<br>
><br>
><br>
><br>
> As far as I understand there is no a possible way.<br>
> Would you be interested on a patch to allow this behaivour optional?<br>
><br>
<br>
This is the CVE-2009-0801 protection.<br>
<br>
Any patch altering it needs to retain that protection as there are known<br>
attacks in the wild.<br>
<br>
<br>
Also be aware that the SNI field of TLS is *not* a exact equivalent for<br>
Host. SNI lacks the ability to distinguish relative vs absoute domains<br>
and aternative port numbers - both of which are common occurances in<br>
Host headers.<br>
<br>
Amos<br>
<br>
</blockquote></div>