Squid configuration directive client_dst_passthru

Available in: 3.2   3.HEAD  

History:

Changes in 3.2 client_dst_passthru

New setting to disable extra Host: header security on interception proxies. Impacts cache integrity/reliability and client browser security.

IMPORTANT: disabling this directive only allows Squid to change the destination IP to another source indicated by Host: domain DNS or cache_peer configuration. It does not affect Host: validation.

Configuration Details:

Option Name:client_dst_passthru
Replaces:
Requires:
Default Value:client_dst_passthru on
Suggested Config: 


	With NAT or TPROXY intercepted traffic Squid may pass the request
	directly to the original client destination IP or seek a faster
	source.
	
	This option (on by default) prevents cache_peer and alternative DNS
	entries being used on intercepted traffic. Both of which lead to
	the security vulnerability outlined below.
	
	SECURITY WARNING:
	
	This directive should only be disabled if cache_peer are required.
	
	As described in CVE-2009-0801 when the Host: header alone is used
	to determine the destination of a request it becomes trivial for
	malicious scripts on remote websites to bypass browser same-origin
	security policy and sandboxing protections.
	
	The cause of this is that such applets are allowed to perform their
	own HTTP stack, in which case the same-origin policy of the browser
	sandbox only verifies that the applet tries to contact the same IP
	as from where it was loaded at the IP level. The Host: header may
	be different from the connected IP and approved origin.
 

Back

Search

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors