On 10/01/2012 5:23 p.m., Nguyen Hai Nam wrote:
> Hi,
>
> I got many security alerts from Squid that told "Host header forgery
> detected", part of the log file is here:
>
> https://pastee.org/7vqst
>
> This error happens when users:
>
> 1. open google.com on browser and was redirected to local google.com.vn
> 2. open result links when googling
> 3. open facebook.com
>
> And this error often happens to some specific users.
>
> I'm using Squid 3.2.0.14 on OpenIndiana 151a 32-bit system.
>
> Hope to receive the solution for this issue from you guys.
The only full solution is not to use traffic interception. Use automatic
configuration (WPAD) instead.
Some specific users and only them? What I see in those logs is a user
trying to force their traffic to route via America.
User from USA (or at least using DNS server hosted in USA) gets told to
use the Google USA network:
www-google-analytics.l.google.com has address 74.125.225.64
...
www-google-analytics.l.google.com has address 74.125.225.74 <----
your user is contacting here
...
www-google-analytics.l.google.com has address 74.125.225.79
Being intercepted by a Squid in Asia-Pacific region (in Vietnam by the
looks of it) which gets told the IPs for the local Google (SE Asia)
network as the *only* IPs about that machine the user is contacting.
www-google-analytics.l.google.com in the Asia-Pacific region use
addresses 74.125.237.0/26 (for _me_. Possibly a different /26 for you
and your Squid)
Which noticably does NOT contain 74.125.**225.74** which is in the
74.125.225.0/26 network across the pond.
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery has a few
things you can do to reduce it. We do not have any safe way around this.
Amos
Received on Tue Jan 10 2012 - 05:31:59 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 10 2012 - 12:00:02 MST