Re: [squid-users] Squid 3.2.0.14 beta is available

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 15 Dec 2011 18:52:08 +1300

On 14/12/2011 10:02 p.m., Saleh Madi wrote:
> Dears all,
>
> The "www.facebook.com" not work in the TPROXY mode because the problem of
> the "Host header forgery detected", the TPROXY is nice feature and we
> needed it for the spoofing the client IP address. I think the squid
> developers need to Think about this problem, I hope we can fix this
> problem.

Spent two years thinking about this implementation. What we have today
is down to these cases:

  * client A sends packet requesting http://example.com/ to machine IP
a.b.c.d
  * packet gets intercepted into Squid instead
  * example.com DNS lookup informs Squid example.com has IP address
e.f.g.h (and no others)
  * Squid alerts: local IP (a.b.c.d) does not match (exist in) the
domain IPs (e.f.g.h)

* client B sends packet requesting http://example.com/ to machine IP w.x.y.z
  * packet gets intercepted into Squid instead
  * example.com DNS lookup informs Squid example.com has IP address
e.f.g.h (and no others)
  * Squid alerts: local IP (w.x.y.z) does not match (exist in) the
domain IPs (e.f.g.h)

* client C sends packet requesting http://example.com/ to machine IP e.f.g.h
  * packet gets intercepted into Squid instead
  * example.com DNS lookup informs Squid example.com has IP address
e.f.g.h (and no others)
  * Squid relays the request out to e.f.g.h

HTTP header for all three requests is exactly identical. Only the packet
IPs change.

Problem #1: Is client A or B both hijackers? or is one of them friendly?
* lookup "cross-site scripting" (XSS) and the side effects.

Problem #2: Is the machine at a.b.c.d or at w.x.y.z going to return the
correct data or something dangerous?
  * lookup "cache poisoning" and the side effects.

If anyone can produce code to answer those questions accurately they
will have solved your alert. I am hoping one day to allowing the
request/reply to go through as a private transaction for that one client
without affecting any existing cached content. That would limit the
infection damage to only that client. But requires changes to the
storage which are not yet done in the 3.2 series.

Meanwhile ensure the recursive DNS resolvers used by your intercepted
clients are the one(s) used by the Squid intercepting proxy.

I have checked all the websites you mention. They all have fixed DNS IP
results with answers based on the IP of the resolver being used to find
them. This means that if your clients and Squid used the same recursive
DNS resolver(s) they would get the same answers and Squid would not alert.

Amos
Received on Thu Dec 15 2011 - 05:52:17 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 15 2011 - 12:00:03 MST