Re: [squid-users] Squid 3.2.0.14 beta is available from Saleh Madi on 2011-12-13 (squid-users)

From: Saleh Madi <saleh.madi_at_hadara.ps>
Date: Tue, 13 Dec 2011 12:59:34 +0200 (IST)

I use linux policy based routing.

Example: linux pppoe server have tow interfaces one interface connected
with the main linux router the other interface connected with squid box
and I redirect all http traffic form the pppoe server via "policy based
routing" to the squid box.
Note: the pppoe server and the squid box using the same linux router.

other example I have tested the police based routing for fix IPs with
TPROXY but dos not work, but in router mode work the TPROXY without any
problem.

Dos the policy based routing make the "Host header forgery detected" problem.

iptables -t mangle -A PREROUTING -i ppp+ -s 10.0.0.0/8 -p tcp --dport 80
-j MARK --set-mark $mark
# add a default route in our second routing table
ip route add default via $gwip dev $dev table $ta
# setup routing based on the firewall mark
ip rule list | grep "lookup $ta" >/dev/null || ip rule add fwmark $mark
priority $prior table $ta

Thanks,
Saleh

> On 13/12/2011 8:48 p.m., Saleh Madi wrote:
>> Thanks Amos for your good work, from squid-3.2.0.13 and squid-3.2.0.14
>> version we facing a big problem with SECURITY ALERT: By user agent and
>> SECURITY ALERT: on URL the squid box and the clients using the same DNS
>> servers, what mean flags=33 and flags=17 in the cache log file and how I
>> can disable the SECURITY ALERT.
>>
>> squid config
>> http_port 192.168.95.20:3129 transparent
>>
>> iptables:
>> iptables -t nat -A WEBPROXY -i eth2 -p tcp --dport 80 -j REDIRECT
>> --to-port 3129
>>
>> cache.log
>>
>> 2011/12/13 09:23:48.529 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
>> (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
>> 2011/12/13 09:23:48.529 kid1| SECURITY ALERT: on URL:
>> http://www.facebook.com/ajax/chat/send.php?__a=1
>
> This is additional two lines of data about the Host forgery alert.
>
>> 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: Host header forgery
>> detected
>> on local=66.220.147.33:80 remote=10.0.2.45:37086 FD 270 flags=33 (l
>> ocal IP does not match any domain IP)
>> 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
>> (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
>> 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: on URL:
>> http://www.facebook.com/ajax/chat/user_info.php?__a=1&ids[0]=1521437876&__user=100000212
>> 560683
>
> Squid has resolved the domain name (www.facebook.com) the client
> (10.0.2.45) was supposedly contacting and determined that the IP
> (66.220.147.33) the packet was going to does not belong to that domain
> name.
>
> Details about the alert and some things which can be done about it when
> it appears are at
> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>
> Amos
>
Received on Tue Dec 13 2011 - 11:03:38 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 13 2011 - 12:00:03 MST