[squid-users] squid interception

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Sep 25 11:12:27 UTC 2018


On 25.09.18 12:39, Yann Girardin wrote:
> We have encountered what we think is a strange behavior of Squid when in
> interception.  We know that it's not a bug but made on purpose, but we
> question ourself on the why of this choice.
>
> We have a firewall that we have configured to redirect all TCP packets
> with the destination port set to 80 to the squid box.  This redirection is
> made by changing the destination IP to the address of the Squid box and

this is wrong way to do interception and it opens door to a security
vulnerability.

squid needs to know the destination IP, otherwise it does not know where it
has to connect.

The Host: header is NOT a reliable info, because it can contain false
information. see the vulnerability info:

https://nvd.nist.gov/vuln/detail/CVE-2009-0801
https://www.kb.cert.org/vuls/id/435052

> destination port to 8080.  On the box, we set up Squid to listen to port
> 9090 in interception mode.  Moreover, we use some DNAT rules to redirect
> the traffic from port 8080 to port 9090.  Yes, we know that we shouldn't
> do that, but "we" includes some third parties.

the proper way to do interception is to forward packets do squid host
without changing the destination I

https://wiki.squid-cache.org/SquidFaq/InterceptionProxy

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)


More information about the squid-users mailing list