[squid-users] Host header forgery detected
Amos Jeffries
squid3 at treenet.co.nz
Tue Jan 27 04:41:19 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 27/01/2015 11:13 a.m., Yuri Voinov wrote:
>
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> Hi gents,
>
> who knows - what does it mean below?
>
> 2015/01/27 04:11:42.289 kid1| SECURITY ALERT: Host header forgery
> detected on local=192.168.200.3:80 remote=192.168.200.5:9909 FD 18
> flags=33 (intercepted port does not match 443) 2015/01/27
> 04:11:42.289 kid1| SECURITY ALERT: By user agent: 2015/01/27
> 04:11:42.289 kid1| SECURITY ALERT: on URL:
> stnd-lueg.crsi.symantec.com:443 2015/01/27 04:11:42.289 kid1|
> abandoning local=192.168.200.3:80 remote=192.168.200.5:9909 FD 18
> flags=33
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
Notice how the origin-server request being intercepted on port *80*
says its on port *443*.
This is either one of the actual attacks the forgery protection was
put in place to prevent (yeas they do happen). Or you have a NAT
somewhere mapping port 443 onto port 80 before it gets to the proxy
machine.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUxxbvAAoJELJo5wb/XPRjTdQIAIOcNaLxWDrXqea1kNR1w+s5
sojo3GdYRDxCZpnFkacHfvP3gKh6lGvCBOGztVx9u0Xn9Jce8VBKwgf0nUTeYOX3
nIzpwFTONpSAEo1LJDbuilbciQh6uSj5TFWJK4XhHlARURWWTAax1+9SZZHpTKt0
MulqF0nmka+qqeETVZ19qpTowbEmdD8NLI4k5e9xDwUGXicSuy5tpGYsxZKM3vbB
muIexuZlAajsIK7MyFepipvGqMLbQ86O/Pi7fgyCjK9ZMzimAdvygi/gv2kJiXmt
YzWPXqROX4qXrnmU24W4HBFdZXTzl9Al3Z+oqRpFlzGs2yWVXVFBJLwa19IDM9A=
=efCQ
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list