[squid-users] Response Blocked from sites with multiple IPs (Host Header Forgery)

Eng Hooda eenghooda at yahoo.com
Sat Jun 11 16:41:55 UTC 2016


Thank you for your response .
here is the details you requested.

OS : Debian 8
How I intercept : iptables , then http_port 3128 transparent  , https_port 3127 transparent ssl_bump ....
DNS is the same for proxy and client : 8.8.8.8 , 8.8.4.4 , no DNS caching service
squid version : latest self compiled (I ran make install)

Best Regards,
Eng Hooda

--------------------------------------------
On Thu, 6/9/16, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:

 Subject: RE: [squid-users] Response Blocked from sites with multiple IPs (Host	Header Forgery)
 To: "'Eng Hooda'" <eenghooda at yahoo.com>, squid-users at lists.squid-cache.org
 Date: Thursday, June 9, 2016, 11:29 PM
 
 RE: [squid-users]
 Response Blocked from sites with multiple IPs (Host	Header
 Forgery)
 
 
 Hey,
 
 There
 are couple basic missing parts about the
 setup.
 
 -       What OS are you
 using?
 
 -       How do you Intercept the
 connections? Tproxy? Intercept?
 
 -       Do
 the client use the same DNS server as the proxy
 server?
 
 -       Are you using some kind
 of local caching service? Such as
 Bind\Unbound\PowerDNS\else?
 
 -       Is it a self compiled
 version of squid or from a package?
 
 All the
 above can affect the way we can help you.
 
 Eliezer
 
 
 
 
 
 ----
 
 Eliezer
 Croitoru
 
 Linux
 System Administrator
 
 Mobile:
 +972-5-28704261
 
 Email:
 eliezer at ngtech.co.il
 
 
 
 
 
 -----Original
 Message-----
 
 From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
 On Behalf Of Eng Hooda
 
 Sent: Thursday, June 9, 2016 9:09 PM
 
 To: squid-users at lists.squid-cache.org
 
 Subject: [squid-users] Response Blocked from sites with
 multiple IPs (Host Header Forgery)
 
 Hello
 Squid Users,
 
 I have
 just started using squid less than a week ago
 .
 
 My
 setup is a transparent proxy with sslbump , I peek for media
 streaming sites then terminate their connections then I
 splice all.
 
 I
 noticed that some https sites (not all of the time) , does
 not respond , when Investigated I found the following in
 cache.log :
 
 
 
 3105
 2016/06/09 12:45:40.630 kid1| SECURITY ALERT: on URL:
 mail.live.com:443
 
 3106
 2016/06/09 12:45:40.631 kid1| SECURITY ALERT: Host header
 forgery detected on local=157.55.43.16:443
 remote=10.3.1.80:58328 FD 94 flags=33 (local IP does not
 match any domain IP)
 
 3330
 2016/06/09 13:26:26.676 kid1| SECURITY ALERT: on URL:
 mail.live.com:443
 
 3331
 2016/06/09 13:26:26.676 kid1| SECURITY ALERT: Host header
 forgery detected on local=157.56.122.210:443
 remote=10.3.1.80:58414 FD 141 flags=33 (local IP does not
 match any domain IP)
 
 3530
 2016/06/09 13:49:49.481 kid1| SECURITY ALERT: on URL:
 mail.live.com:443
 
 3531
 2016/06/09 13:49:49.481 kid1| SECURITY ALERT: Host header
 forgery detected on local=157.55.43.17:443
 remote=10.3.1.80:58616 FD 119 flags=33 (local IP does not
 match any domain IP)
 
 
 
 I
 searched for a solution which lead me to (1st result)  : 
 
 
 http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
 
 
 
 I read
 it and it seems to be a dead end .
 
 
 
 What I
 understood that client requested page from a certain IP ,
 reply came from another IP then it's blocked for
 security reasons.
 
 
 
 Well I
 tried to nslookup the mentioned IPs , and all of them are
 sub domains of mail.live.com nslookup
 157.55.43.16
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Name:   
 origin.du111w.dub111.mail.live.com
 
 Address:  157.55.43.16
 
 
 
 nslookup 157.56.122.210
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Name:   
 origin.du125w.dub125.mail.live.com
 
 Address:  157.56.122.210
 
 
 
 nslookup 157.55.43.17
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Name:   
 origin.du112w.dub112.mail.live.com
 
 Address:  157.55.43.17
 
 
 
 also
 tried to nslookup mail.live.com , and every time I get
 different IPs
 
 
 
 nslookup mail.live.com
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Non-authoritative answer:
 
 Name:   
 dispatch.kahuna.glbdns2.microsoft.com
 
 Addresses:  157.56.195.156
 
 157.55.235.51
 
 Aliases:  mail.live.com
 
 
 
 nslookup mail.live.com
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Non-authoritative answer:
 
 Name:   
 dispatch.kahuna.glbdns2.microsoft.com
 
 Addresses:  157.55.235.49
 
 157.56.122.210
 
 Aliases:  mail.live.com
 
 
 
 nslookup mail.live.com
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Non-authoritative answer:
 
 Name:   
 dispatch.kahuna.glbdns2.microsoft.com
 
 Addresses:  157.55.43.16
 
 157.55.43.17
 
 Aliases:  mail.live.com
 
 
 
 nslookup mail.live.com
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Non-authoritative answer:
 
 Name:   
 dispatch.kahuna.glbdns2.microsoft.com
 
 Addresses:  157.55.235.51
 
 157.56.122.208
 
 Aliases:  mail.live.com
 
 
 
 nslookup mail.live.com
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Non-authoritative answer:
 
 Name:   
 dispatch.kahuna.glbdns2.microsoft.com
 
 Addresses:  157.55.235.51
 
 157.56.122.208
 
 Aliases:  mail.live.com
 
 
 
 nslookup mail.live.com
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Non-authoritative answer:
 
 Name:   
 dispatch.kahuna.glbdns2.microsoft.com
 
 Addresses:  157.55.235.48
 
 157.55.235.49
 
 Aliases:  mail.live.com
 
 
 
 nslookup mail.live.com
 
 Server: 
 google-public-dns-a.google.com
 
 Address:  8.8.8.8
 
 
 
 Non-authoritative answer:
 
 Name:   
 dispatch.kahuna.glbdns2.microsoft.com
 
 Addresses:  157.55.235.49
 
 157.56.122.210
 
 Aliases:  mail.live.com
 
 
 
 So
 can't squid learn that big sites have a lot of IPs
 mapped as sub-domains of it , and they may reply from any of
 them ?
 
 
 
 Or just
 provide an option to disable this problematic security
 feature ?
 
 
 
 or Am I
 missing something here ?
 
 
 
 Thanks
 You all in advance.
 
 
 
 Best
 Regards,
 
 
 
 Eng
 Hooda
 
 _______________________________________________
 
 squid-users mailing list
 
 squid-users at lists.squid-cache.org
 
 http://lists.squid-cache.org/listinfo/squid-users
 


More information about the squid-users mailing list