[squid-users] More host header forgery pain with peek/splice
Steve Hill
steve at opendium.com
Thu Aug 25 16:17:46 UTC 2016
This one just seems to keep coming up and I'm wondering how other people
are dealing with it:
When you peek and splice a transparently proxied connection, the SNI
goes through the host validation phase. Squid does a DNS lookup for the
SNI, and if it doesn't resolve to the IP address that the client is
connecting to, Squid drops the connection.
When accessing one of the increasingly common websites that use DNS load
balancing, since the DNS results change on each lookup, Squid and the
client may not get the same DNS results, so Squid drops perfectly good
connections.
Most of this problem goes away if you ensure all the clients use the
same DNS server as squid, but not quite. Because the TTL on DNS records
only has a resolution of 1 second, there is a period of up to 1 second
when the DNS records Squid knows about doesn't match the ones that the
client knows about. The client and squid may expire the records up to 1
second apart.
So what's the solution? (Notably the validation check can't be disabled
without hacking the code).
--
- Steve Hill
Technical Director
Opendium Online Safety / Web Filtering http://www.opendium.com
Enquiries Support
--------- -------
sales at opendium.com support at opendium.com
+44-1792-824568 +44-1792-825748
More information about the squid-users
mailing list