On Wed, 12 Oct 2011 09:45:40 -0600, Alex Rousskov wrote:
> On 10/11/2011 10:38 PM, Amos Jeffries wrote:
>>> On Mon, 10 Oct 2011 08:39:00 -0600, Alex Rousskov wrote:
>>>> ------------------------------------------------------------
>>>> revno: 11783
>>>> committer: Alex Rousskov <rousskov_at_measurement-factory.com>
>>>> branch nick: trunk
>>>> timestamp: Mon 2011-10-10 08:39:00 -0600
>>>> message:
>>>> Fixed typos in the host_verify_strict description.
>>>>
>>>> Frankly, the description is likely to still make little sense to
>>>> uninitiated because we do not explain what is "Host vs IP
>>>> validation"
>>>> and what the "additional strict validation comparisons" are. There
>>>> was
>>>> an attempt to explain the latter, but I think it failed. Perhaps
>>>> there
>>>> are more typos that hide the intended meaning?
>>>> modified:
>>>> src/cf.data.pre
>>>
>>
>> "
>> By default on intercept and tproxy traffic Squid verifies that the
>> destination IP address matches the Host: header domain or IP (called
>> 'authority form URL'). The client will be presented with a 409
>> Conflict
>> error page and Squid logs a security warning if they do not match.
>>
>> When set to ON, this option enables additional strict comparisons on
>> forward-proxy and reverse-proxy traffic passing through Squid.
>>
>> These additional tests involve textual domain comparisons to
>> ensure that the client sends a consistent Host header for the
>> destination server mentioned in the URL.
>> "
>
> Hi Amos,
>
> I would polish the above a little further, thanks to your earlier
> clarifications:
>
> ----------
> Regardless of this option setting, when dealing with intercepted
> traffic, Squid always verifies that the destination IP address
> matches
> the Host header domain or IP (called 'authority form URL'). Squid
> responds with an HTTP 409 (Conflict) error page and logs a security
> warning if there is no match.
>
> When set to ON, Squid verifies that the destination IP address
> matches
> the Host header for forward-proxy and reverse-proxy traffic as well.
> For
> those traffic types, Squid also enables the following checks,
> comparing
> the corresponding Host header and Request-URI components:
>
> * The host names (domain or IP) must be identical,
> but valueless or missing Host header disables all checks.
> For the two host names to match, both must be either IP or FQDN.
>
> * Port numbers must be identical,
> but if a port is missing, the scheme-default port is assumed.
> This check is skipped for intercepted traffic and for CONNECT
> requests with a missing port in the Host header.
I'll leave this last line out for now. We might have to change it later
when HTTPbis work has sorted out CONNECT a bit more. Intercept is also
not relevant for forward-proxy and reverse-proxy traffic.
>
> This enforcement is performed to satisfy a MUST-level requirement in
> RFC
> 2616 section 14.23: "The Host field value MUST represent the naming
> authority of the origin server or gateway given by the original URL".
> --------
>
>> * this option set to 'off' -> skip all URL-vs-Host tests
>
> That part I did not understand because it seem to contradict the
> earlier
> "By default on intercept and tproxy traffic Squid verifies ..."
> claim.
Intercept+tproxy we do not have URL domain to work with. We cannot
compare. So these are all skipped. IMO your sentence 1 of paragraph 2
adequately covers that without going into specifics.
>
> Please feel free to leave as is or polish further as you please and
> commit. This is not a big deal (but I do expect us to quote this
> documentation to angry users).
Done.
Amos
Received on Wed Oct 12 2011 - 21:17:04 MDT
This archive was generated by hypermail 2.2.0 : Thu Oct 13 2011 - 12:00:11 MDT