Re: redirector: are http headers available?

From: Boyd Currey <boydc@dont-contact.us>
Date: Thu, 8 May 1997 11:09:43 +1000 (EST)

On Thu, 8 May 1997, Henrik Nordstrom wrote:

> Add
> httpd_accel_uses_host_header on
> to your squid.conf.
>
> This has the effect that all incoming requests are rewritten with the
> Host: header appended. See icp.c.

The squid.conf file says...

... However,
# Squid does NOT check the value of the Host header, so it opens
# a big security hole. We recommend that this option remain
# disabled unless you are sure of what you are doing.

What kind of security holes does it open? Does this mean that people
can throw in false Host header addresses to gain access to squid
for evil purposes and to get around acl's to access squid itself?

 ___________________________________________________________________________
                         Boyd Currey | OzEmail Ltd
                System Administrator | Unit 21, 39 Herbert St.
                boydc@ozemail.com.au | St. Leonards, Australia
              Phone: +61 2 9433 2352 | Phone: +61 2 9433 2400
Received on Wed May 07 1997 - 18:10:37 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:08 MST