Re: [squid-users] Host header forgery

From: Warren Baker <warren_at_decoy.co.za>
Date: Tue, 28 Feb 2012 11:19:31 +0200

On Mon, Feb 27, 2012 at 11:01 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>> 3.2.0.15+ will do a soft-fail type behaviour, which allows the request
>>> through but does not allow caching of the response and only relays the
>>> original destination IP. Which hides the problems from client visibility,
>>> at
>>> cost of some cache HITs.
>>
>>
>> ok interesting - I assume this will be some config option?
>
>
> Not as such.
>
> There is host_verify_strict directive to *increase* the number of things
> validated, including forward-proxy traffic. Which is off by default so only
> the minimal checks are done.
>
> The risk of turning this off entirely is cache poisoning, which immediately
> spreads infection across the whole network. Since the action vector to do
> the initial infection is so trivial (a client running a website script can
> do it without knowing). That is too much risk to allow configuration.

Ok that makes sense - thanks Amos.

-- 
.warren
Received on Tue Feb 28 2012 - 09:19:39 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 28 2012 - 12:00:10 MST