Regardless of this option setting, when dealing with intercepted
traffic, Squid always verifies that the destination IP address matches
the Host header domain or IP (called 'authority form URL').
This enforcement is performed to satisfy a MUST-level requirement in
RFC 2616 section 14.23: "The Host field value MUST represent the naming
authority of the origin server or gateway given by the original URL".
When set to ON:
Squid always responds with an HTTP 409 (Conflict) error
page and logs a security warning if there is no match.
Squid verifies that the destination IP address matches
the Host header for forward-proxy and reverse-proxy traffic
as well. For those traffic types, Squid also enables the
following checks, comparing the corresponding Host header
and Request-URI components:
* The host names (domain or IP) must be identical,
but valueless or missing Host header disables all checks.
For the two host names to match, both must be either IP
or FQDN.
* Port numbers must be identical, but if a port is missing
the scheme-default port is assumed.
When set to OFF (the default):
Squid allows suspicious requests to continue but logs a
security warning and blocks caching of the response.
* Forward-proxy traffic is not checked at all.
* Reverse-proxy traffic is not checked at all.
* Intercepted traffic which passes verification is handled
normally.
For now it also forces suspicious requests to go DIRECT to the
original destination, overriding client_dst_passthru for
intercepted requests which fail Host: verification.
For now suspicious intercepted CONNECT requests are always
responded to with an HTTP 409 (Conflict) error page.
|
