[squid-users] RE: HostHeaderForgery on dual stack ipv4/ipv6 machine and ICAP

From: James R. Leu <jleu_at_mindspring.com>
Date: Sun, 29 Jan 2012 11:29:04 -0600

Hello,

I'm in the process of implementing an ICAP server, but I'm encountering the
HostHeaderForgery issue quite often when accessing sites that I can reach
over IPv6. I've read the KB entry about this. It lists
that co-locating the NAT device and squid on the same machine,
or enabling EDNS may resolve the issue.

I'm wondering if my issue is specific to dual stack v4/v6
or to ICAP. Any suggestions for what I can try to
work around this issue? If this is specific to
dual stack v4/v6, I'm here to beat my v6 migration
drum and I'm willing to help out to resolve it.

My test environment:

    Linux laptop with dual stack ipv4/ipv6
    - Fedora rawhide squid (squid-3.2.0.14-6.fc17.x86_64)
    - resolve.conf has v4/v6 nameservers listed
    - squid in intercept mode on same machine as web browser and icap server
    - iptables redirect
        iptables -A OUTPUT -p tcp -m owner --uid-owner 23 -m tcp --dport 80 -j ACCEPT
        iptables -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination localhost:3128

    - squid config

        acl localnet src 192.168.0.0/16
        acl localnet src fc00::/7
        acl localnet src fe80::/10
        acl SSL_ports port 443
        acl Safe_ports port 80
        acl Safe_ports port 21
        acl Safe_ports port 443
        acl Safe_ports port 70
        acl Safe_ports port 210
        acl Safe_ports port 1025-65535
        acl Safe_ports port 280
        acl Safe_ports port 488
        acl Safe_ports port 591
        acl Safe_ports port 777
        acl CONNECT method CONNECT
        http_access allow localhost manager
        http_access deny manager
        http_access deny !Safe_ports
        http_access deny CONNECT !SSL_ports
        http_access allow localnet
        http_access allow localhost
        http_access deny all
        http_port 3128 intercept
        server_persistent_connections on
        icap_enable on
        icap_send_client_ip on
        icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/request
        adaptation_access service_req allow all
        coredump_dir /var/spool/squid

-- 
James R. Leu
jleu_at_mindspring.com

Received on Sun Jan 29 2012 - 17:29:12 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 30 2012 - 12:00:04 MST