[squid-users] More host header forgery pain with peek/splice

Steve Hill steve at opendium.com
Thu Aug 25 16:17:46 UTC 2016


This one just seems to keep coming up and I'm wondering how other people 
are dealing with it:

When you peek and splice a transparently proxied connection, the SNI 
goes through the host validation phase.  Squid does a DNS lookup for the 
SNI, and if it doesn't resolve to the IP address that the client is 
connecting to, Squid drops the connection.

When accessing one of the increasingly common websites that use DNS load 
balancing, since the DNS results change on each lookup, Squid and the 
client may not get the same DNS results, so Squid drops perfectly good 
connections.

Most of this problem goes away if you ensure all the clients use the 
same DNS server as squid, but not quite.  Because the TTL on DNS records 
only has a resolution of 1 second, there is a period of up to 1 second 
when the DNS records Squid knows about doesn't match the ones that the 
client knows about.  The client and squid may expire the records up to 1 
second apart.

So what's the solution?  (Notably the validation check can't be disabled 
without hacking the code).

-- 
  - Steve Hill
    Technical Director
    Opendium    Online Safety / Web Filtering    http://www.opendium.com

    Enquiries                 Support
    ---------                 -------
    sales at opendium.com        support at opendium.com
    +44-1792-824568           +44-1792-825748


More information about the squid-users mailing list