Re: [squid-users] Host header forgery

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 28 Feb 2012 10:01:14 +1300

On 28.02.2012 01:08, Warren Baker wrote:
> On Mon, Feb 27, 2012 at 12:58 PM, Amos Jeffries wrote:
>>
>> It is best to consider interception an action of last resort, for
>> this any
>> many other reasons.
>
> yeah of course.
>
>>
>> 3.2.0.15+ will do a soft-fail type behaviour, which allows the
>> request
>> through but does not allow caching of the response and only relays
>> the
>> original destination IP. Which hides the problems from client
>> visibility, at
>> cost of some cache HITs.
>
> ok interesting - I assume this will be some config option?

Not as such.

There is host_verify_strict directive to *increase* the number of
things validated, including forward-proxy traffic. Which is off by
default so only the minimal checks are done.

The risk of turning this off entirely is cache poisoning, which
immediately spreads infection across the whole network. Since the action
vector to do the initial infection is so trivial (a client running a
website script can do it without knowing). That is too much risk to
allow configuration.

Amos
Received on Mon Feb 27 2012 - 21:01:19 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 28 2012 - 12:00:10 MST