[squid-users] squid 3.5.24 Host header forgery detected

hellname hellname hellname at bk.ru
Mon Mar 6 11:43:42 UTC 2017


Hello. I have the squid 3.5.24 from source:
configure options:  '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/include' '--mandir=/share/man' '--infodir=/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-linux-netfilter' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security' 'build_alias=x86_64-linux-gnu'

I also have this configuration:
max_filedesc 35000
acl localnet src 172.16.16.0/24
acl localnet src 172.22.1.0/24
acl SSL_ports port 443
acl CONNECT method CONNECT
acl AdminsIP src "/etc/squid/admips.txt"
acl BlackList dstdomain "/etc/squid/BL.txt"
acl BlockInetExlWhite src "/etc/squid/BI.txt"
acl WhiteList dstdomain "/etc/squid/WL.txt"
acl manager proto manager
via off
forwarded_for off
follow_x_forwarded_for deny all
visible_hostname my.server.com
hosts_file /etc/hosts
dns_nameservers 172.16.16.11
ipcache_size 10240
negative_dns_ttl 5 minutes
fqdncache_size 10240
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager
http_access deny manager
cachemgr_passwd password all
http_access allow localhost
http_access allow AdminsIP
http_access deny BlockInetExlWhite !WhiteList
http_access deny BlackList
http_access allow localnet
http_access deny all
cache deny all
http_port 0.0.0.0:3128 intercept
http_port 0.0.0.0:3130
https_port 0.0.0.0:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name "/etc/squid/BL.txt"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
maximum_object_size 61440 KB
minimum_object_size 3 KB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 0
cache_mgr  admin at my.server.com  

All users in my company have enabled auto-proxy-config in OS with wpad url configuration, below you can see wpad.dat:
function FindProxyForURL(url, host) {
var proxy_on = "PROXY 172.16.16.30:3130";
var proxy_off = "DIRECT";
var network = "172.16.16.0";
var network1 = "192.168.100.0";
var subnet = "255.255.255.0";

var proxy_bypass = new Array(
"*.slack.com",
"*.slack-edge.com",
"*.slack-msgs.com",
"*slack-files.com",
"*slack-imgs.com",
"*slack-edge.com",
"*slack-core.com",
"*slack-redir.net",
"192.168.100.0",
"127.0.0.1",
"localhost"
);
if (isInNet(host, network, subnet)) {
return proxy_off;
}
if (isInNet(host, network1, subnet)) {
return proxy_off;
}

for (var i = 0; i < proxy_bypass.length; i++) {
if (shExpMatch(host, proxy_bypass[i])) {
return DIRECT;
}
}

if (shExpMatch(url, "http:*") ||
shExpMatch(url, "https:*") ||
shExpMatch(url, "ftp:*")) {
return proxy_on;
}

// Finally, send all other requests direct.
return proxy_off;
}

In the wpad web server I can see logs:
188.xxx.xxx.xxx - - [06/Mar/2017:11:20:21 +0300] "GET /wpad.dat HTTP/1.1" 200 1324 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/2.5.1 Chrome/53.0.2785.143 Electron/1.4.15 Safari/537.36"
188.xxx.xxx.xxx - - [06/Mar/2017:11:57:29 +0300] "GET /wpad.dat HTTP/1.1" 200 1324 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
188.xxx.xxx.xxx - - [06/Mar/2017:11:57:29 +0300] "GET /wpad.dat HTTP/1.1" 200 1324 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
188.xxx.xxx.xxx - - [06/Mar/2017:11:57:29 +0300] "GET /wpad.dat HTTP/1.1" 200 1324 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Slack/2.5.1 Chrome/53.0.2785.143 Electron/1.4.15 Safari/537.36"
188.xxx.xxx.xxx - - [06/Mar/2017:13:13:01 +0300] "GET /wpad.dat HTTP/1.1" 200 1324 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" I see the problems when to try work with slack app or gmail apps (e.g. calendar), in the squid log I see many entries:
2017/03/06 14:38:03| SECURITY ALERT: Host header forgery detected on local=54.230.99.128:443 remote=172.16.16.123:64857 FD 748 flags=33 (local IP does not match any domain IP)
2017/03/06 14:38:03| SECURITY ALERT: on URL: slack.com:443
2017/03/06 14:38:30| SECURITY ALERT: Host header forgery detected on local=54.230.99.128:443 remote=172.16.16.123:64875 FD 505 flags=33 (local IP does not match any domain IP)
2017/03/06 14:38:30| SECURITY ALERT: on URL: slack.com:443
2017/03/06 14:38:37| SECURITY ALERT: Host header forgery detected on local=54.230.99.128:443 remote=172.16.16.123:64881 FD 678 flags=33 (local IP does not match any domain IP)
Could you help me please?
P.S. Sorry for my bad english.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170306/a757c0ac/attachment-0001.html>


More information about the squid-users mailing list