Re: [squid-users] Squid 3.2.0.14 beta is available

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 13 Dec 2011 22:59:02 +1300

On 13/12/2011 8:48 p.m., Saleh Madi wrote:
> Thanks Amos for your good work, from squid-3.2.0.13 and squid-3.2.0.14
> version we facing a big problem with SECURITY ALERT: By user agent and
> SECURITY ALERT: on URL the squid box and the clients using the same DNS
> servers, what mean flags=33 and flags=17 in the cache log file and how I
> can disable the SECURITY ALERT.
>
> squid config
> http_port 192.168.95.20:3129 transparent
>
> iptables:
> iptables -t nat -A WEBPROXY -i eth2 -p tcp --dport 80 -j REDIRECT
> --to-port 3129
>
> cache.log
>
> 2011/12/13 09:23:48.529 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
> (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
> 2011/12/13 09:23:48.529 kid1| SECURITY ALERT: on URL:
> http://www.facebook.com/ajax/chat/send.php?__a=1

This is additional two lines of data about the Host forgery alert.

> 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: Host header forgery detected
> on local=66.220.147.33:80 remote=10.0.2.45:37086 FD 270 flags=33 (l
> ocal IP does not match any domain IP)
> 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: By user agent: Mozilla/5.0
> (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
> 2011/12/13 09:23:48.597 kid1| SECURITY ALERT: on URL:
> http://www.facebook.com/ajax/chat/user_info.php?__a=1&ids[0]=1521437876&__user=100000212
> 560683

Squid has resolved the domain name (www.facebook.com) the client
(10.0.2.45) was supposedly contacting and determined that the IP
(66.220.147.33) the packet was going to does not belong to that domain name.

Details about the alert and some things which can be done about it when
it appears are at
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

Amos
Received on Tue Dec 13 2011 - 09:59:10 MST

This archive was generated by hypermail 2.2.0 : Tue Dec 13 2011 - 12:00:03 MST