Re: [squid-users] SECURITY ALERT generated by squid in events

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 28 Nov 2011 12:05:59 +1300

 On Sun, 27 Nov 2011 23:36:23 +0100, David Touzeau wrote:
> Dear
>
> I have this squid version :
>
> Squid Cache: Version 3.2.0.13-20111125-r11436
> configure options: '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/var'
> '--libexecdir=/lib/squid3' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--srcdir=.'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--enable-gnuregex' '--enable-forward-log'
> '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> '--enable-http-violations' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap' '--enable-err-languages=English'
> '--enable-default-err-language=English' '--with-maxfd=32000'
> '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> '--enable-esi' '--enable-storeio=aufs,diskd,ufs,rock'
> '--with-aufs-threads=10' '--with-maxfd=16384'
> '--enable-x-accelerator-vary' '--with-dl' '--enable-truncate'
> '--enable-linux-netfilter' '--with-filedescriptors=16384'
> '--enable-wccpv2' '--enable-eui' '--enable-auth'
> '--enable-auth-basic'
> '--enable-auth-digest' '--enable-auth-negotiate-helpers'
> '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers'
> '--enable-auth-ntlm' '--with-default-user=squid'
> '--enable-icap-client'
> '--enable-cache-digests' '--enable-icap-support' '--enable-poll'
> '--enable-epoll' '--enable-async-io' '--enable-delay-pools'
> 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops
> -ffast-math -fno-exceptions'
>
> I cannot browse trough Internet and receive many errors in syslog :
>
> Nov 27 23:32:57 gibrat squid[15355]: SECURITY ALERT: By user agent:
> Opera/9.80 (X11; Linux i686; U; fr) Presto/2.9.168 Version/11.52
> Nov 27 23:32:57 gibrat squid[15355]: SECURITY ALERT: on URL:
> http://192.168.1.1:49152/rootDesc.xml
> Nov 27 23:32:59 gibrat squid[15355]: SECURITY ALERT: By user agent:
> Opera/9.80 (X11; Linux i686; U; fr) Presto/2.9.168 Version/11.52
> Nov 27 23:32:59 gibrat squid[15355]: SECURITY ALERT: on URL:
> http://clients1.google.com/complete/search?q=no-ip&client=opera&hl=fr
>
> Is it normal ??

 These are the 2nd and 3rd lines of a "Host: header forgery" alert. The
 first line explains what is being detected as wrong, these are the
 supporting data to help track it down.

 Having just read your config details in the other thread, I expect this
 is caused by a combination of your incomplete iptables NAT intercept
 rules, and testing by configuring the browser to use the proxy NAT port
 directly. That type of setup is dangerous and can expect this rejection
 in 3.2.

 Amos
Received on Sun Nov 27 2011 - 23:06:09 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 28 2011 - 12:00:02 MST