Re: httpd_accel_uses_host_header

From: Graham Toal <gtoal@dont-contact.us>
Date: Thu, 8 May 1997 15:29:45 -0500 (CDT)

> When running as a accelerator, squid normally only accepts "local" URLs
> (without server). By adding the Host: header you effectively translates
> the acceleration function to be almost equal to proxying with respect to
> security. The client may specify any server they want, and connect to
> them on the accel_port.
>
> The request goes thought all the usual ACL checks, so it is easy to set
> up full security if neccesary.
>
> >From icp.c:
>
> XXX Use of the Host: header here opens a potential
> security hole. There are no checks that the Host: value
> corresponds to one of your servers. It might, for example,
> refer to www.playboy.com. The 'dst' and/or 'dst_domain' ACL
> types should be used to prevent httpd-accelerators
> handling requests for non-local servers

However, a lower-level check is also cheap to add, and
doesn't require keeping large ACL lists:

 if virtual_host and Host: header
 AND Host: header IP resolves to virtual_host IP (CNAME or A record)
   use Host: header
 elsif virtual
   use IP addr
 else
   use accel prefix

What I'm not sure about is if the packet was received on an IP
interface that was not one of the IP aliases which the virtual
host CNAME points to! (Confusing, eh?) Will this happen
often enough to be worth the extra checks?

G
Received on Thu May 08 1997 - 13:42:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:08 MST