[squid-users] Host header forgery policy

Hi all,

After an upgrade of squid3 to version 3.3.8-1ubuntu6, I got the
unpleasant surprise of what is called the "Host header forgery
policy".

I've read the documentation of this part, and although I understand
the motivation of its implementation, I honestly see not very
practical implementing this without the possibility of disabling it,
basically because not all scenarios fit the requirements written on
the documentation.

I have about 30 clients and I've configured squid3 to be a transparent
proxy on port 3128 on a remote server. The entry point is port 8080
which is then redirected on the same host to the port 3128.

However, *any* opened URL throws the warning:

2014/07/14 19:21:52.612| SECURITY ALERT: Host header forgery detected
on local=10.10.0.1:8080 remote=10.10.0.6:59150 FD 9 flags=33 (local IP
does not match any domain IP)
2014/07/14 19:21:52.612| SECURITY ALERT: By user agent: Mozilla/5.0
(Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
2014/07/14 19:21:52.612| SECURITY ALERT: on URL: google.com:443
2014/07/14 19:21:52.612| abandoning local=10.10.0.1:8080
remote=10.10.0.6:59150 FD 9 flags=33

I have manually configured the browser of these clients - the problem
is that in the company's network I have my DNS servers and on the
remote host (where the Squid server is running) there are others, and
as this is hosted by an external company which doesn't allow changing
those DNS nameservers, I wonder what to do? Is there any solution at
this point?

Thanks.
Received on Mon Jul 14 2014 - 17:46:09 MDT