[squid-users] Response Blocked from sites with multiple IPs (Host Header Forgery)
Eng Hooda
eenghooda at yahoo.com
Sat Jun 11 16:41:55 UTC 2016
Thank you for your response .
here is the details you requested.
OS : Debian 8
How I intercept : iptables , then http_port 3128 transparent , https_port 3127 transparent ssl_bump ....
DNS is the same for proxy and client : 8.8.8.8 , 8.8.4.4 , no DNS caching service
squid version : latest self compiled (I ran make install)
Best Regards,
Eng Hooda
--------------------------------------------
On Thu, 6/9/16, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:
Subject: RE: [squid-users] Response Blocked from sites with multiple IPs (Host Header Forgery)
To: "'Eng Hooda'" <eenghooda at yahoo.com>, squid-users at lists.squid-cache.org
Date: Thursday, June 9, 2016, 11:29 PM
RE: [squid-users]
Response Blocked from sites with multiple IPs (Host Header
Forgery)
Hey,
There
are couple basic missing parts about the
setup.
- What OS are you
using?
- How do you Intercept the
connections? Tproxy? Intercept?
- Do
the client use the same DNS server as the proxy
server?
- Are you using some kind
of local caching service? Such as
Bind\Unbound\PowerDNS\else?
- Is it a self compiled
version of squid or from a package?
All the
above can affect the way we can help you.
Eliezer
----
Eliezer
Croitoru
Linux
System Administrator
Mobile:
+972-5-28704261
Email:
eliezer at ngtech.co.il
-----Original
Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
On Behalf Of Eng Hooda
Sent: Thursday, June 9, 2016 9:09 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Response Blocked from sites with
multiple IPs (Host Header Forgery)
Hello
Squid Users,
I have
just started using squid less than a week ago
.
My
setup is a transparent proxy with sslbump , I peek for media
streaming sites then terminate their connections then I
splice all.
I
noticed that some https sites (not all of the time) , does
not respond , when Investigated I found the following in
cache.log :
3105
2016/06/09 12:45:40.630 kid1| SECURITY ALERT: on URL:
mail.live.com:443
3106
2016/06/09 12:45:40.631 kid1| SECURITY ALERT: Host header
forgery detected on local=157.55.43.16:443
remote=10.3.1.80:58328 FD 94 flags=33 (local IP does not
match any domain IP)
3330
2016/06/09 13:26:26.676 kid1| SECURITY ALERT: on URL:
mail.live.com:443
3331
2016/06/09 13:26:26.676 kid1| SECURITY ALERT: Host header
forgery detected on local=157.56.122.210:443
remote=10.3.1.80:58414 FD 141 flags=33 (local IP does not
match any domain IP)
3530
2016/06/09 13:49:49.481 kid1| SECURITY ALERT: on URL:
mail.live.com:443
3531
2016/06/09 13:49:49.481 kid1| SECURITY ALERT: Host header
forgery detected on local=157.55.43.17:443
remote=10.3.1.80:58616 FD 119 flags=33 (local IP does not
match any domain IP)
I
searched for a solution which lead me to (1st result) :
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
I read
it and it seems to be a dead end .
What I
understood that client requested page from a certain IP ,
reply came from another IP then it's blocked for
security reasons.
Well I
tried to nslookup the mentioned IPs , and all of them are
sub domains of mail.live.com nslookup
157.55.43.16
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Name:
origin.du111w.dub111.mail.live.com
Address: 157.55.43.16
nslookup 157.56.122.210
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Name:
origin.du125w.dub125.mail.live.com
Address: 157.56.122.210
nslookup 157.55.43.17
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Name:
origin.du112w.dub112.mail.live.com
Address: 157.55.43.17
also
tried to nslookup mail.live.com , and every time I get
different IPs
nslookup mail.live.com
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
dispatch.kahuna.glbdns2.microsoft.com
Addresses: 157.56.195.156
157.55.235.51
Aliases: mail.live.com
nslookup mail.live.com
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
dispatch.kahuna.glbdns2.microsoft.com
Addresses: 157.55.235.49
157.56.122.210
Aliases: mail.live.com
nslookup mail.live.com
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
dispatch.kahuna.glbdns2.microsoft.com
Addresses: 157.55.43.16
157.55.43.17
Aliases: mail.live.com
nslookup mail.live.com
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
dispatch.kahuna.glbdns2.microsoft.com
Addresses: 157.55.235.51
157.56.122.208
Aliases: mail.live.com
nslookup mail.live.com
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
dispatch.kahuna.glbdns2.microsoft.com
Addresses: 157.55.235.51
157.56.122.208
Aliases: mail.live.com
nslookup mail.live.com
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
dispatch.kahuna.glbdns2.microsoft.com
Addresses: 157.55.235.48
157.55.235.49
Aliases: mail.live.com
nslookup mail.live.com
Server:
google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
dispatch.kahuna.glbdns2.microsoft.com
Addresses: 157.55.235.49
157.56.122.210
Aliases: mail.live.com
So
can't squid learn that big sites have a lot of IPs
mapped as sub-domains of it , and they may reply from any of
them ?
Or just
provide an option to disable this problematic security
feature ?
or Am I
missing something here ?
Thanks
You all in advance.
Best
Regards,
Eng
Hooda
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list