Thanks Amos for your good work, from squid-3.2.0.13 and squid-3.2.0.14
version we facing a big problem with SECURITY ALERT: By user agent and
SECURITY ALERT: on URL the squid box and the clients using the same DNS
servers, what mean flags=33 and flags=17 in the cache log file and how I
can disable the SECURITY ALERT.
squid config
http_port 192.168.95.20:3129 transparent
iptables:
iptables -t nat -A WEBPROXY -i eth2 -p tcp --dport 80 -j REDIRECT
--to-port 3129
cache.log
2011/12/13 09:23:48.529 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
2011/12/13 09:23:48.529 kid1| SECURITY ALERT: on URL:
http://www.facebook.com/ajax/chat/send.php?__a=1
2011/12/13 09:23:48.597 kid1| SECURITY ALERT: Host header forgery detected
on local=66.220.147.33:80 remote=10.0.2.45:37086 FD 270 flags=33 (l
ocal IP does not match any domain IP)
2011/12/13 09:23:48.597 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
2011/12/13 09:23:48.597 kid1| SECURITY ALERT: on URL:
http://www.facebook.com/ajax/chat/user_info.php?__a=1&ids[0]=1521437876&__user=100000212
560683
2011/12/13 09:23:48.710 kid1| SECURITY ALERT: Host header forgery detected
on local=69.171.242.11:80 remote=10.0.10.61:50241 FD 241 flags=33 (
local IP does not match any domain IP)
2011/12/13 09:23:48.710 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
2011/12/13 09:23:48.710 kid1| SECURITY ALERT: on URL:
http://www.facebook.com/ajax/typeahead/search.php?__a=1&value=%D8%AD%D8%B0%D9%8A%D9%81%D
8%A9%20&viewer=100003230327449&rsp=search&context=search&sid=0.5034341039885455&__user=100003230327449
2011/12/13 09:23:48.899 kid1| SECURITY ALERT: Host header forgery detected
on local=66.220.158.18:80 remote=10.0.0.237:4549 FD 310 flags=33 (l
ocal IP does not match any domain IP)
2011/12/13 09:23:48.899 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
2011/12/13 09:23:48.899 kid1| SECURITY ALERT: on URL:
http://www.facebook.com/ajax/messaging/typ.php?__a=1
2011/12/13 09:23:48.962 kid1| SECURITY ALERT: Host header forgery detected
on local=50.23.103.21:80 remote=10.0.10.79:57761 FD 340 flags=33 (l
ocal IP does not match any domain IP)
2011/12/13 09:23:48.962 kid1| SECURITY ALERT: By user agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2
.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
.NET4.0C)
2011/12/13 09:23:48.962 kid1| SECURITY ALERT: on URL:
http://mntr.facemoods.com/mntr/1.1.0.4/mtiecore.js
2011/12/13 09:23:49.342 kid1| SECURITY ALERT: Host header forgery detected
on local=66.220.158.18:80 remote=10.0.0.237:4550 FD 183 flags=33 (l
ocal IP does not match any domain IP)
Thanks and Best Regards,
Saleh
> The Squid HTTP Proxy team is very pleased to announce the
> availability of the Squid-3.2.0.14 beta release!
>
>
> This release fixes many of the assertion and segmentation fault bugs
> found over the prior 3.2 beta releases. There are some few regressions
> still remaining to be found.
>
>
> * The regression in earlier 3.2 betas spoofing client IP properly for
> TPROXY has been fixed.
>
> * ext_session_acl helper upgraded to version 1.2. This version is
> updated to use modern BerkeleyDB 4.1+ APIs for improved support of
> synchronisation amongst multiple helper processes.
>
> * The missing ERR_DNS_FAIL error messages on DNS lookup failure has
> been restored.
>
> * ssl-bump decryption in Squid can now send a CA chain for generated
> certificates. This allows a local intermediate CA to sign the CA
> certificate used by the generator. Further assistance with testing that
> is welcome.
>
> * adaptation_meta directive has been added to pass custom headers to
> ICAP or eCAP services.
>
> * QoS support has been extended to allow masking the values relayed
> through Squid. This allows Squid to merge a tag value of its own with
> the value being relayed through.
>
> * SMP shared memory statistics are now collected and displayed in the
> cache manager reports.
>
>
> As usual this release contains all the fixes passed on to 3.1 series
> alongside its own changes.
>
> See the ChangeLog for the list of other minor changes in this release.
>
> All users interested in 3.2 features are encouraged to assist testing
> this release.
>
>
> Please refer to the release notes at
> http://www.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html
> when you are ready to make the switch to Squid-3.2
>
> Upgrade tip:
> "squid -k parse" is starting to display even more useful hints about
> squid.conf changes.
>
> This new release can be downloaded from our HTTP or FTP servers
>
> http://www.squid-cache.org/Versions/v3/3.2/
> ftp://ftp.squid-cache.org/pub/squid/
> ftp://ftp.squid-cache.org/pub/archive/3.2/
>
> or the mirrors. For a list of mirror sites see
>
> http://www.squid-cache.org/Download/http-mirrors.html
> http://www.squid-cache.org/Download/mirrors.html
>
> If you encounter any issues with this release please file a bug report.
> http://bugs.squid-cache.org/
>
>
> Amos Jeffries
>
>
Received on Tue Dec 13 2011 - 07:52:14 MST
This archive was generated by hypermail 2.2.0 : Tue Dec 13 2011 - 12:00:03 MST