Skip to content

Instantly share code, notes, and snippets.

@elico

elico/050-disable-intercept-host-header-forgery-5.4_1.patch

Created February 9, 2022 15:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save elico/eb0f4e99331af5c23a8f5999f405d37b to your computer and use it in GitHub Desktop.
Save elico/eb0f4e99331af5c23a8f5999f405d37b to your computer and use it in GitHub Desktop.
Download ZIP
050-disable-intercept-host-header-forgery-5.4_1-3.patch
Raw
050-disable-intercept-host-header-forgery-5.4_1.patch
--- src/client_side_request.cc 2022-02-07 08:46:21.000000000 +0200
+++ src/client_side_request.cc 2022-02-09 11:58:02.295721457 +0200
@@ -519,40 +519,50 @@
ClientRequestContext *c = static_cast<ClientRequestContext*>(data);
c->hostHeaderIpVerify(ia, dns);
}
void
ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const Dns::LookupDetails &dns)
{
Comm::ConnectionPointer clientConn = http->getConn()->clientConnection;
// note the DNS details for the transaction stats.
http->request->recordLookup(dns);
// Is the NAT destination IP in DNS?
if (ia && ia->have(clientConn->local)) {
debugs(85, 3, "validate IP " << clientConn->local << " possible from Host:");
http->request->flags.hostVerified = true;
http->doCallouts();
return;
}
debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:");
+ if (http->request->flags.intercepted || http->request->flags.interceptTproxy) {
+ if (!Config.onoff.interceptHostStrictVerify && http->request->method == Http::METHOD_CONNECT) {
+ debugs(85, 3, "Forcing Host verified for: " << clientConn->local << " possible from Host:" << http->request->effectiveRequestUri());
+ http->request->flags.hostVerified = true;
+ http->request->flags.cachable = false;
+ http->request->flags.hierarchical = false;
+ http->doCallouts();
+ return;
+ }
+ }
hostHeaderVerifyFailed("local IP", "any domain IP");
}
void
ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
{
// IP address validation for Host: failed. Admin wants to ignore them.
// NP: we do not yet handle CONNECT tunnels well, so ignore for them
if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) {
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
" (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());
// NP: it is tempting to use 'flags.noCache' but that is all about READing cache data.
// The problems here are about WRITE for new cache content, which means flags.cachable
http->request->flags.cachable = false; // MUST NOT cache (for now)
// XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go.
http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now)
// XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go.
http->doCallouts();
return;
Raw
050-disable-intercept-host-header-forgery-5.4_2.patch
--- src/SquidConfig.h 2022-02-07 08:46:21.000000000 +0200
+++ src/SquidConfig.h 2022-02-09 11:58:12.640801309 +0200
@@ -323,40 +323,41 @@
int cache_miss_revalidate;
int emailErrData;
int httpd_suppress_version_string;
int global_internal_static;
int collapsed_forwarding;
#if FOLLOW_X_FORWARDED_FOR
int acl_uses_indirect_client;
int delay_pool_uses_indirect_client;
int log_uses_indirect_client;
#if LINUX_NETFILTER
int tproxy_uses_indirect_client;
#endif
#endif /* FOLLOW_X_FORWARDED_FOR */
int WIN32_IpAddrChangeMonitor;
int memory_cache_first;
int memory_cache_disk;
int hostStrictVerify;
int client_dst_passthru;
+ int interceptHostStrictVerify;
int dns_mdns;
#if USE_OPENSSL
bool logTlsServerHelloDetails;
#endif
} onoff;
int64_t shared_transient_entries_limit;
int pipeline_max_prefetch;
int forward_max_tries;
int connect_retries;
class ACL *aclList;
struct {
acl_access *http;
acl_access *adapted_http;
acl_access *icp;
acl_access *miss;
Raw
050-disable-intercept-host-header-forgery-5.4_3.patch
--- src/cf.data.pre 2022-02-07 08:46:21.000000000 +0200
+++ src/cf.data.pre 2022-02-09 11:58:26.136905483 +0200
@@ -2914,40 +2914,56 @@
With NAT or TPROXY intercepted traffic Squid may pass the request
directly to the original client destination IP or seek a faster
source using the HTTP Host header.
Using Host to locate alternative servers can provide faster
connectivity with a range of failure recovery options.
But can also lead to connectivity trouble when the client and
server are attempting stateful interactions unaware of the proxy.
This option (on by default) prevents alternative DNS entries being
located to send intercepted traffic DIRECT to an origin server.
The clients original destination IP and port will be used instead.
Regardless of this option setting, when dealing with intercepted
traffic Squid will verify the Host: header and any traffic which
fails Host verification will be treated as if this option were ON.
see host_verify_strict for details on the verification process.
DOC_END
+NAME: intercept_host_strict_verify
+TYPE: onoff
+DEFAULT: off
+LOC: Config.onoff.interceptHostStrictVerify
+DOC_START
+ Disable host_verify_strict for NAT or TPROXY intercepted traffic.
+DOC_END
+
+NAME: intercept_host_strict_verify
+TYPE: onoff
+DEFAULT: off
+LOC: Config.onoff.interceptHostStrictVerify
+DOC_START
+ Disable host_verify_strict for NAT or TPROXY intercepted traffic.
+DOC_END
+
COMMENT_START
TLS OPTIONS
-----------------------------------------------------------------------------
COMMENT_END
NAME: tls_outgoing_options
IFDEF: USE_GNUTLS||USE_OPENSSL
TYPE: securePeerOptions
DEFAULT: min-version=1.0
LOC: Security::ProxyOutgoingConfig
DOC_START
disable Do not support https:// URLs.
cert=/path/to/client/certificate
A client X.509 certificate to use when connecting.
key=/path/to/client/private_key
The private key corresponding to the cert= above.
If key= is not specified cert= is assumed to
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment