[squid-users] issues with sslbump and "Host header forgery detected" warnings

Eliezer Croitor ngtech1ltd at gmail.com
Sun Nov 8 01:19:09 UTC 2020


Hey Leonardo,

I assume The best solution for you is a simple SNI proxy.
Squid does also that and you can try to debug this issue to make sure you understand what is wrong.
It clearly states that Squid doesn't see this specific address: local=216.58.222.106:443
As the domain: chromesyncpasswords-pa.googleapis.com:443 "real" destination address.

Maybe Alex or Amos remember the exact and relevant debug_options:
https://wiki.squid-cache.org/KnowledgeBase/DebugSections

I assume section 78 would be of help.
debug_options ALL,1 78,3

Is probably enough to discover what are the DNS responses and from where these are.
On what OS are you running this Squid?

Thanks,

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Leonardo Rodrigues
Sent: Friday, November 6, 2020 11:18 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] issues with sslbump and "Host header forgery detected" warnings


     Hello Everyone,

     I'm trying to setup sslbump for the first time (on squid-4.13) and, 
at first, things seems to be working. After taking some time to 
understand the new terms (splice, bump, stare, etc), seems to got things 
somehow working.

     Actually i'm NOT looking for complete bumping (and decrypting) the 
connections. During my lab studies, I found out that simply 'splice' the 
connections is enough for me. I just wanna intercept https connections 
and have them logged, just the hostname, and that seems to be 
acchievable without even installing my certificates on the client, as 
i'm not changing anything, just 'taking a look' on the SNI values of the 
connection. The connection itself remains end-to-end protected, and 
that's fine to me. I just wanna have things logged. And that's working 
just fine.

     However, some connections are failing with the "Host header forgery 
detected" warnings. Example:

2020/11/06 18:04:21 kid1| SECURITY ALERT: Host header forgery detected 
on local=216.58.222.106:443 remote=10.4.1.123:39994 FD 73 flags=33 
(local IP does not match any domain IP)
2020/11/06 18:04:21 kid1| SECURITY ALERT: on URL: 
chromesyncpasswords-pa.googleapis.com:443

     and usually a NONE/409 (Conflict) log entry is generated on those. 
Refreshing once or twice and it will eventually work.

     I have found several discussions on this and I can confirm it 
happens on hostnames that resolvs to several different IPs or hostnames 
that, somehow, keeps changing IPs (CDNs or something like that).

     Clients are already using the same DNS server as the squid box, as 
recommended, but problem is still happening quite a lot. For regular 
hostnames who translates for a single IP address, things are 100% working.

     Questions:

     - without using WPAD or without configuring proxy on the client 
devices, is this somehow "fixable" ? Same DNS already being used ...
     - is there any chance the NONE/409 (Conflict) logs i'm seeing are 
not related to this? Maybe these are just WARNINGs and not ERRORs, or 
these would really cause a fail to the intercepted connection?
     - any other hint on this one without having to set proxy, in any 
way, on the clients? I just wanna have hostnames (and traffic generated) 
logged, no need for full decrypt (bumping) of the connections.


     Thanks !!!






-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it



_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list