[squid-users] Host header and transparent proxying

From: David Robb <[email protected]>
Date: Thu, 26 Jul 2001 11:40:39 +1200 (NZST)

I havea a problem here with transparent proxying and the use of the Host
header. Now as the conf file says, if Squid uses the Host header, it's a
security risk, because connections can be made to go to to sites other
than where the original IP connection was made to.

ie, I get transparently proxied to one of my caches on port 80 while
trying to connect to google.com, and give a request which has a Host
header of yahoo.com :

If squid is using the Host header, it'll connect to yahoo.com and return
me the content from there.
If I'm not using the Host header, but am instead using Netfilter, Squid
rewrite the URL to be http://216.239.33.10/index.html (where 216.239.33.10
is google.com). Now while this stops me from redirecting the connection to
another server[1], it breaks the caching does it not? Squid won't then be
storing the URLs in its cache as "google.com/index.html", it'll be
"216.239.33.10/index.html"

Can anyone suggest a workaround for this?

I'm pondering devising a patch which checks if the Host header matches the
IP the person was connecting to. If it does, it uses the Host header when
constructing the URL. If not, it connects to the IP specified by
SO_ORIGINAL_DST from Netfilter.

[1] We bill seperately for national and international traffic on some
account types, so if someone connects to a server, I need to be sure the
content is coming from that server, and not somewhere else specified by
the host header.

David Robb

---
Senior Network Engineer		DDI +64-9-359-2710
ihug (AS7657)			NOC +64-9-359-2708
"The Earth is a single point of failure"
Received on Wed Jul 25 2001 - 17:40:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:19 MST