[squid-users] Interaction SSL_bump, Domain Allowlist and Host Header Forgery Check

[Adrian]

Hey Squid community,

I would greatly appreciate a hint on how to configure Squid to achieve the
following:

Context
========
Transparent HTTP/S proxy (ideally no TLS re-encryption)
Domain allowlist acl
Squid v6.13

Goal
========
Have Squid "inspect" HTTPS requests (as much as possible/needed with the
actions provided by ssl_bump) and perform the host header forgery check in
addition to checking if the host extracted from SNI matches the domain
allowlist acl.
The configuration should basically prevent this: ]$ curl --insecure
--resolve <domain on allowlist>:443:<arbitrary IP not associated with
domain> https://<domain on allowlist>

It seems like all the necessary tools are provided, and I see hints
pointing to this possibility, e.g.
https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery (the INFO box)
but I'm having trouble using them to accomplish the desired effect.
The host_verify_strict option seems to solve this for unencrypted HTTP and
I got the domain allowlist to work for HTTP + HTTPS - it's just easily
circumvented by the curl above in the case of HTTPS.

A rough idea about the order/placement of the acls involved (relative to
the ssl_bump steps where applicable) would help a lot.

Cheers,
Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250508/226833a8/attachment.htm>