[squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

Alex Rousskov rousskov at measurement-factory.com
Fri Mar 4 15:20:16 UTC 2022 

On 3/4/22 03:25, YFone Ling wrote:

> I am here just try to understand how the squid determines host conflicts 
> for a simple http connect proxy request?

The complete answer to your question is large/complicated and 
Squid-version dependent, but, AFAICT, there are no conflicts in the 
simple CONNECT request you have shared. Either the Squid in question is 
buggy or something else is going on (that is not visible in the output 
you have shared).

Are you absolutely sure the CONNECT request looks exactly like the one 
you have copy-pasted? How do you observe that CONNECT request?

Can you reproduce this exact problem using, say, "nc" or "telnet" as a 
proxy client (no TLS)?

Normally, proxies that accept CONNECT requests do not listen on or 
intercept port 80. Normally, CONNECT requests do not target port 80 
either. Are you sure you are supposed to send a CONNECT request to port 
80 and target an origin server port 80?


What do the WiFi providers tell you when you complain to _them_? Can 
they get you in touch with the technical people responsible for their 
Squids?

Alex.




> On Thu, Mar 3, 2022 at 6:28 PM Eliezer Croitoru <ngtech1ltd at gmail.com 
> <mailto:ngtech1ltd at gmail.com>> wrote:
> 
>     I am not sure if it’s for Squid-dev but anyway to clear out the
>     doubts I would suggest attaching the squid.conf
>     and remember to remove any sensitive data.____
> 
>     __ __
> 
>     Eliezer____
> 
>     __ __
> 
>     ----____
> 
>     Eliezer Croitoru____
> 
>     NgTech, Tech Support____
> 
>     Mobile: +972-5-28704261____
> 
>     Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>____
> 
>     __ __
> 
>     *From:* squid-dev <squid-dev-bounces at lists.squid-cache.org
>     <mailto:squid-dev-bounces at lists.squid-cache.org>> *On Behalf Of
>     *YFone Ling
>     *Sent:* Thursday, March 3, 2022 22:55
>     *To:* squid-dev at lists.squid-cache.org
>     <mailto:squid-dev at lists.squid-cache.org>
>     *Subject:* [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on
>     port 80____
> 
>     __ __
> 
>     My application sends  HTTP CONNECT requests to a HTTP proxy port 80,
>     but gets a squid ERR_CONFLICT_HOST error page.____
> 
>     __ __
> 
>     Is the following code really working as the comments pointed out
>     "ignore them" since the following if condition is
>     "http->request->method != Http::METHOD_CONNECT"____
> 
>     and the rest has been blocked by error page
>     "repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,"?____
> 
>     __ __
> 
>     Does "ignore them" mean block them? ____
> 
>     void____
> 
>     	
> 
>     ClientRequestContext::hostHeaderVerifyFailed(const char *A, const
>     char *B)____
> 
>     	
> 
>     {____
> 
>     	
> 
>     // IP address validation for Host: failed. Admin wants to ignore
>     them.____
> 
>     	
> 
>     // NP: we do not yet handle CONNECT tunnels well, so ignore for them____
> 
>     	
> 
>     if (!Config.onoff.hostStrictVerify && http->request->method !=
>     Http::METHOD_CONNECT) {____
> 
>     	
> 
>     debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " <<
>     http->getConn()->clientConnection <<____
> 
>     	
> 
>     "(" << A << "does not match " << B << ") on URL: " <<
>     http->request->effectiveRequestUri());____
> 
>     	
> 
>     __ __
> 
>     __ __
> 
>     How does the squid get "hostHeaderVerifyFailed" for a normal HTTP
>     CONNECT request to a HTTP Proxy as simple as below?____
> 
>     __ __
> 
>         CONNECT www.zscaler.com:80 <http://www.zscaler.com:80> HTTP/1.1____
> 
>         Host: www.zscaler.com:80 <http://www.zscaler.com:80>____
> 
>         User-Agent: Windows Microsoft Windows 10 Enterprise ZTunnel/1.0____
> 
>         Proxy-Connection: keep-alive____
> 
>         Connection: keep-alive____
> 
>     __ __
> 
>         HTTP/1.1 409 Conflict____
> 
>         Server: squid____
> 
>         Mime-Version: 1.0____
> 
>         Date: Tue, 22 Feb 2022 20:59:42 GMT____
> 
>         Content-Type: text/html;charset=utf-8____
> 
>         Content-Length: 2072____
> 
>         X-Squid-Error: ERR_CONFLICT_HOST 0____
> 
>         Vary: Accept-Language____
> 
>         Content-Language: en____
> 
>         X-Cache: MISS from 3____
> 
>         Via: 1.1 3 (squid)____
> 
>         Connection: keep-alive____
> 
>     __ __
> 
>         </head><body id=ERR_CONFLICT_HOST>____
> 
>         <div id="titles">____
> 
>         <h1>ERROR</h1>____
> 
>         <h2>The requested URL could not be retrieved</h2>____
> 
>         </div>____
> 
>         <hr>____
> 
>     __ __
> 
>         <div id="content">____
> 
>         <p>The following error was encountered while trying to retrieve
>         the URL: <a href="www.zscaler.com:80
>         <http://www.zscaler.com:80>">www.zscaler.com:80
>         <http://www.zscaler.com:80></a></p>____
> 
>         ......____
> 
>         __ __
> 
>         __ __
> 
>         __ __
> 
>     Thank you for any help on the understanding!____
> 
>     __ __
> 
>     Paul Ling____
> 
> 
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev

More information about the squid-dev mailing list