[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Dan Charlesworth dan at getbusi.com
Thu Oct 8 05:41:08 UTC 2015


Same here—I've been meaning to ask the list about this too. I’m still on 3.5.9, by the way.

> On 6 Oct 2015, at 10:55 PM, Roel van Meer <roel at 1afa.com> wrote:
> 
> Hi everyone,
> 
> I have a Squid setup on a linux box with transparent interception of both http and https traffic. Everything worked fine with Squid 3.5.6. After upgrading to version 3.5.10, I get many warnings about host header forgery:
> 
> SECURITY ALERT: Host header forgery detected on local=104.46.50.125:443 remote=192.168.9.126:52588 FD 22 flags=33 (local IP does not match any domain IP)
> SECURITY ALERT: By user agent:
> SECURITY ALERT: on URL: nexus.officeapps.live.com:443
> 
> These warnings all seem to occur for https web sites that use multiple DNS records. The warnings coincide with the fact that the clients are unable to get the requested page.
> 
> I've read the wiki page http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
> and I can assert that:
> - we do NAT on the same box that is running Squid
> - both squid and the clients use the same DNS server
> 
> I've also tested 3.5.9, and this version also showed these warnings.
> Version 3.5.7 worked fine, and 3.5.8 did too.
> 
> So, one of the changes in 3.5.9 caused this behaviour.
> 
> Can anyone shed some more light on this? Is this a problem in my setup that surfaced with 3.5.9, or is it a problem in Squid?
> 
> Thanks a lot for any help,
> 
> Roel
> 
> 
> My (abbreviated) config:
> 
> http_port 192.168.9.1:3128 ssl-bump cert=/etc/ssl/certs/server.pem
> http_port 192.168.9.1:3129 intercept
> https_port 192.168.9.1:3130 intercept ssl-bump cert=/etc/ssl/certs/server.pem
> icp_port 0
> 
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
> 
> acl port-direct myportname 192.168.9.1:3128
> ssl_bump none port-direct
> acl port-trans_https myportname 192.168.9.1:3130
> external_acl_type sni children-max=3 children-startup=1 %URI %SRC %METHOD %ssl::>sni /usr/bin/squidGuard-aclsni
> acl checksni external sni
> 
> ssl_bump peek port-trans_https step1
> ssl_bump terminate port-trans_https step2 checksni
> ssl_bump splice port-trans_https all
> 
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
> 
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list