[squid-users] host header forgery check in docker environment

Amos Jeffries squid3 at treenet.co.nz
Mon Jun 18 07:43:19 UTC 2018


On 18/06/18 16:54, Kedar K wrote:
> Hi Amos, 
> Here is the topology:
> 
> client (curl from host running docker) --> squid_child (docker, using
> ssl-bump with intercept) --> squid_parent (VM with internet connection,
> https_port without ssl-bump) --> origin server.

Consider where/how the child proxy is getting the origin servers' TLS
certificate details with which to forge a server certificate in the bump
action.


> 
> local - 72.19.0.2:443 <http://72.19.0.2:443/> is the container running
> squid child
> remote - remote=172.19.0.1:44522 <http://172.19.0.1:44522/>  is the host
> machine where containers are running, I am using a curl to do initial
> tests. Eventually, request would come from other containers or external
> hosts on the docker daemon host.
> 
> With http traffic this works fine; wherein the request is forwarded to
> Parent and then to origin server. However, with https header forgery
> kicks in and tls is terminated.

Given that you are essentially void'ing what little security TLS
provides, there is no point in using it to secure any of these
connections. Just use curl (or squidclient) to send https:// URLs in
plain text HTTP messages. It is just as (in)secure as your current setup
and works much more reliably.

Amos


More information about the squid-users mailing list