[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Alex Rousskov rousskov at measurement-factory.com
Thu Oct 29 15:05:29 UTC 2015


On 10/28/2015 10:46 PM, Amos Jeffries wrote:

> NP: these problems do not exist for forward proxies. Only for traffic
> hijacking interceptor proxies.

For intercepted connections, Squid should, with an admin permission,
connect to the intended IP address without validating whether that IP
address matches the domain name (and without any side effects of such
validation). In interception mode, the proxy should be as "invisible"
(or as "invasive") as the admin wants it to be IMO -- all validations
and protections should be optional. We could still enable them by
default, of course.

SslBumped CONNECT-to-IP tunnels are essentially intercepted connections
as well, even if they are using forwarding (not intercepting) http_ports.

Alex.



More information about the squid-users mailing list