On 10/11/2011 10:38 PM, Amos Jeffries wrote:
>> On Mon, 10 Oct 2011 08:39:00 -0600, Alex Rousskov wrote:
>>> ------------------------------------------------------------
>>> revno: 11783
>>> committer: Alex Rousskov <rousskov_at_measurement-factory.com>
>>> branch nick: trunk
>>> timestamp: Mon 2011-10-10 08:39:00 -0600
>>> message:
>>> Fixed typos in the host_verify_strict description.
>>>
>>> Frankly, the description is likely to still make little sense to
>>> uninitiated because we do not explain what is "Host vs IP validation"
>>> and what the "additional strict validation comparisons" are. There was
>>> an attempt to explain the latter, but I think it failed. Perhaps there
>>> are more typos that hide the intended meaning?
>>> modified:
>>> src/cf.data.pre
>>
>
> "
> By default on intercept and tproxy traffic Squid verifies that the
> destination IP address matches the Host: header domain or IP (called
> 'authority form URL'). The client will be presented with a 409 Conflict
> error page and Squid logs a security warning if they do not match.
>
> When set to ON, this option enables additional strict comparisons on
> forward-proxy and reverse-proxy traffic passing through Squid.
>
> These additional tests involve textual domain comparisons to
> ensure that the client sends a consistent Host header for the
> destination server mentioned in the URL.
> "
Hi Amos,
I would polish the above a little further, thanks to your earlier
clarifications:
----------
Regardless of this option setting, when dealing with intercepted
traffic, Squid always verifies that the destination IP address matches
the Host header domain or IP (called 'authority form URL'). Squid
responds with an HTTP 409 (Conflict) error page and logs a security
warning if there is no match.
When set to ON, Squid verifies that the destination IP address matches
the Host header for forward-proxy and reverse-proxy traffic as well. For
those traffic types, Squid also enables the following checks, comparing
the corresponding Host header and Request-URI components:
* The host names (domain or IP) must be identical,
but valueless or missing Host header disables all checks.
For the two host names to match, both must be either IP or FQDN.
* Port numbers must be identical,
but if a port is missing, the scheme-default port is assumed.
This check is skipped for intercepted traffic and for CONNECT
requests with a missing port in the Host header.
This enforcement is performed to satisfy a MUST-level requirement in RFC
2616 section 14.23: "The Host field value MUST represent the naming
authority of the origin server or gateway given by the original URL".
--------
> * this option set to 'off' -> skip all URL-vs-Host tests
That part I did not understand because it seem to contradict the earlier
"By default on intercept and tproxy traffic Squid verifies ..." claim.
Please feel free to leave as is or polish further as you please and
commit. This is not a big deal (but I do expect us to quote this
documentation to angry users).
Thank you,
Alex.
Received on Wed Oct 12 2011 - 15:46:04 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 13 2011 - 12:00:11 MDT