Re: [squid-users] SECURITY ALERT generated by squid in events from Amos Jeffries on 2011-11-27 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 28 Nov 2011 12:05:59 +1300

On Sun, 27 Nov 2011 23:36:23 +0100, David Touzeau wrote:
> Dear
>
> I have this squid version :
>
> Squid Cache: Version 3.2.0.13-20111125-r11436
> configure options: '--prefix=/usr' '--includedir=/include'
> '--mandir=/share/man' '--infodir=/share/info' '--localstatedir=/var'
> '--libexecdir=/lib/squid3' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--srcdir=.'
> '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
> '--enable-gnuregex' '--enable-forward-log'
> '--enable-removal-policy=heap' '--enable-follow-x-forwarded-for'
> '--enable-http-violations' '--enable-large-cache-files'
> '--enable-removal-policies=lru,heap' '--enable-err-languages=English'
> '--enable-default-err-language=English' '--with-maxfd=32000'
> '--with-large-files' '--disable-dlmalloc' '--with-pthreads'
> '--enable-esi' '--enable-storeio=aufs,diskd,ufs,rock'
> '--with-aufs-threads=10' '--with-maxfd=16384'
> '--enable-x-accelerator-vary' '--with-dl' '--enable-truncate'
> '--enable-linux-netfilter' '--with-filedescriptors=16384'
> '--enable-wccpv2' '--enable-eui' '--enable-auth'
> '--enable-auth-basic'
> '--enable-auth-digest' '--enable-auth-negotiate-helpers'
> '--enable-log-daemon-helpers' '--enable-url-rewrite-helpers'
> '--enable-auth-ntlm' '--with-default-user=squid'
> '--enable-icap-client'
> '--enable-cache-digests' '--enable-icap-support' '--enable-poll'
> '--enable-epoll' '--enable-async-io' '--enable-delay-pools'
> 'CFLAGS=-DNUMTHREADS=60 -O3 -pipe -fomit-frame-pointer -funroll-loops
> -ffast-math -fno-exceptions'
>
> I cannot browse trough Internet and receive many errors in syslog :
>
> Nov 27 23:32:57 gibrat squid[15355]: SECURITY ALERT: By user agent:
> Opera/9.80 (X11; Linux i686; U; fr) Presto/2.9.168 Version/11.52
> Nov 27 23:32:57 gibrat squid[15355]: SECURITY ALERT: on URL:
> http://192.168.1.1:49152/rootDesc.xml
> Nov 27 23:32:59 gibrat squid[15355]: SECURITY ALERT: By user agent:
> Opera/9.80 (X11; Linux i686; U; fr) Presto/2.9.168 Version/11.52
> Nov 27 23:32:59 gibrat squid[15355]: SECURITY ALERT: on URL:
> http://clients1.google.com/complete/search?q=no-ip&client=opera&hl=fr
>
> Is it normal ??

These are the 2nd and 3rd lines of a "Host: header forgery" alert. The
first line explains what is being detected as wrong, these are the
supporting data to help track it down.

Having just read your config details in the other thread, I expect this
is caused by a combination of your incomplete iptables NAT intercept
rules, and testing by configuring the browser to use the proxy NAT port
directly. That type of setup is dangerous and can expect this rejection
in 3.2.

Amos
Received on Sun Nov 27 2011 - 23:06:09 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 28 2011 - 12:00:02 MST