[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9
Roel van Meer
roel at 1afa.com
Tue Oct 6 11:55:33 UTC 2015
Hi everyone,
I have a Squid setup on a linux box with transparent interception of both
http and https traffic. Everything worked fine with Squid 3.5.6. After
upgrading to version 3.5.10, I get many warnings about host header forgery:
SECURITY ALERT: Host header forgery detected on local=104.46.50.125:443 remote=192.168.9.126:52588 FD 22 flags=33 (local IP does not match any domain IP)
SECURITY ALERT: By user agent:
SECURITY ALERT: on URL: nexus.officeapps.live.com:443
These warnings all seem to occur for https web sites that use multiple DNS
records. The warnings coincide with the fact that the clients are unable to
get the requested page.
I've read the wiki page http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
and I can assert that:
- we do NAT on the same box that is running Squid
- both squid and the clients use the same DNS server
I've also tested 3.5.9, and this version also showed these warnings.
Version 3.5.7 worked fine, and 3.5.8 did too.
So, one of the changes in 3.5.9 caused this behaviour.
Can anyone shed some more light on this? Is this a problem in my setup that
surfaced with 3.5.9, or is it a problem in Squid?
Thanks a lot for any help,
Roel
My (abbreviated) config:
http_port 192.168.9.1:3128 ssl-bump cert=/etc/ssl/certs/server.pem
http_port 192.168.9.1:3129 intercept
https_port 192.168.9.1:3130 intercept ssl-bump cert=/etc/ssl/certs/server.pem
icp_port 0
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl port-direct myportname 192.168.9.1:3128
ssl_bump none port-direct
acl port-trans_https myportname 192.168.9.1:3130
external_acl_type sni children-max=3 children-startup=1 %URI %SRC %METHOD %ssl::>sni /usr/bin/squidGuard-aclsni
acl checksni external sni
ssl_bump peek port-trans_https step1
ssl_bump terminate port-trans_https step2 checksni
ssl_bump splice port-trans_https all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
More information about the squid-users
mailing list