<div dir="ltr">reincluded the list for completeness and archiving.<br><br>We're building a setup where I want to be able to find domain fronting [<a href="https://en.wikipedia.org/wiki/Domain_fronting" target="_blank">https://en.wikipedia.org/wiki/Domain_fronting</a>] attempts in the logs<br><br>used test script:<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">import requests<br>proxies = {'http': '<a href="http://10.0.0.4:8080">http://10.0.0.4:8080</a>',}<br>headers = {"Host":"<a href="http://someevilhost.appspot.com">someevilhost.appspot.com</a>","Orig-Host":"<a href="http://someevilhost.appspot.com">someevilhost.appspot.com</a>"}<br>s = requests.Session()<br>s.proxies = proxies<br>r = s.get('<a href="http://www.google.com/">http://www.google.com/</a>',headers=headers)<br>print(r.status_code)<br>print(r.text[:80])</blockquote><div><br></div><div>my loglines keep showing <a href="http://www.google.com">www.google.com</a> in the host header regardless of how I set my config. Current config (as added in my pfsense setup)<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">host_verify_strict on<br>strip_query_terms off<br>client_dst_passthru off<br>logformat combined2 %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh "%>h"<br>access_log tcp://<a href="http://10.1.2.15:1025">10.1.2.15:1025</a> combined2<br>#access_log /var/squid/logs/combined2 </blockquote><div><br></div><div>example log line:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">10.1.2.15 - - [31/Oct/2019:11:42:53 +0000] "GET <a href="http://www.google.com/">http://www.google.com/</a> HTTP/1.1" 200 6261 "-" "python-requests/2.9.1" TCP_MISS:HIER_DIRECT "User-Agent: python-requests/2.9.1\r\nAccept: */*\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nOrig-Host: <a href="http://someevilhost.appspot.com">someevilhost.appspot.com</a>\r\nHost: <a href="http://www.google.com">www.google.com</a>\r\n" </blockquote><div><br></div><div>I'm looking for a way to have Squid log the original request, whatever it does after that is for this particular test less important (/dev/null or out to the internet.. both are OK for me as long as 'RFC compliant' traffic from the webbrowser does get out and logged).<br><br>regards,</div></div><div><br></div><div>Mark</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 31, 2019 at 12:35 PM Mark Bergman <<a href="mailto:xychix2011@gmail.com">xychix2011@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Ok, so there is no way I can have Squid act as most corporate other proxies (just forward the request without manipulation)?<br>We are building a setup where we want people to recognise domain fronting from logs.<br><a href="https://en.wikipedia.org/wiki/Domain_fronting" target="_blank">https://en.wikipedia.org/wiki/Domain_fronting</a><br><br>But as I understand now this technique would never work trough a Squid proxy (if SSL inspection is enabled). Wonder then if there never had been complaints from signal (messaging app) users as they relied on this technology for years :)<br>We might have to switch to a less RCF compliant proxy for that. <div><br></div><div>Any help and suggestions are really appreciated.<br><br>Regards,<div><br></div><div>Mark / xychix<br><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 31, 2019 at 10:04 AM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 31/10/19 8:48 pm, Mark Bergman wrote:<br>
> Can i stop squid from 'repairing' host headers?<br>
<br>
Yes.<br>
<br>
For context:<br>
<br>
RFC 7230 :<br>
<br>
"If the target URI includes an authority component, then a<br>
client MUST send a field-value for Host that is identical to that<br>
authority component"<br>
<br>
"If the target URI includes an authority component, then a<br>
client MUST send a field-value for Host that is identical to that<br>
authority component"<br>
<br>
"A server MUST respond with a 400 (Bad Request) status code to any<br>
HTTP/1.1 request message that ... contains ... a<br>
Host header field with an invalid field-value."<br>
<br>
<br>
When the host_verify_strict directive is set to "on" then Squid will<br>
produce a 4XX status code to any traffic received with invalid Host<br>
headers. A Host header that conflicts with info in the URL is always<br>
invalid.<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
</blockquote></div>