[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Eliezer Croitoru eliezer at ngtech.co.il
Thu Oct 8 08:51:32 UTC 2015


Hey,

Are the users and proxy using different dns server?
Can you run dig from the proxy on this domain and dump the content to 
verify that the ip is indeed there?

Eliezer

On 06/10/2015 14:55, Roel van Meer wrote:
> Hi everyone,
>
> I have a Squid setup on a linux box with transparent interception of
> both http and https traffic. Everything worked fine with Squid 3.5.6.
> After upgrading to version 3.5.10, I get many warnings about host header
> forgery:
>
>   SECURITY ALERT: Host header forgery detected on
> local=104.46.50.125:443 remote=192.168.9.126:52588 FD 22 flags=33 (local
> IP does not match any domain IP)
>   SECURITY ALERT: By user agent:
>   SECURITY ALERT: on URL: nexus.officeapps.live.com:443
>
> These warnings all seem to occur for https web sites that use multiple
> DNS records. The warnings coincide with the fact that the clients are
> unable to get the requested page.
>
> I've read the wiki page
> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
> and I can assert that:
> - we do NAT on the same box that is running Squid
> - both squid and the clients use the same DNS server
>
> I've also tested 3.5.9, and this version also showed these warnings.
> Version 3.5.7 worked fine, and 3.5.8 did too.
>
> So, one of the changes in 3.5.9 caused this behaviour.
>
> Can anyone shed some more light on this? Is this a problem in my setup
> that surfaced with 3.5.9, or is it a problem in Squid?
>
> Thanks a lot for any help,
>
> Roel
>
>
> My (abbreviated) config:
>
> http_port 192.168.9.1:3128 ssl-bump cert=/etc/ssl/certs/server.pem
> http_port 192.168.9.1:3129 intercept
> https_port 192.168.9.1:3130 intercept ssl-bump
> cert=/etc/ssl/certs/server.pem
> icp_port 0
>
> acl step1 at_step SslBump1
> acl step2 at_step SslBump2
> acl step3 at_step SslBump3
>
> acl port-direct myportname 192.168.9.1:3128
> ssl_bump none port-direct
> acl port-trans_https myportname 192.168.9.1:3130
> external_acl_type sni children-max=3 children-startup=1 %URI %SRC
> %METHOD %ssl::>sni /usr/bin/squidGuard-aclsni
> acl checksni external sni
>
> ssl_bump peek port-trans_https step1
> ssl_bump terminate port-trans_https step2 checksni
> ssl_bump splice port-trans_https all
>
> sslproxy_cert_error allow all
> sslproxy_flags DONT_VERIFY_PEER
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list