Created
February 9, 2022 15:09
-
-
Save elico/eb0f4e99331af5c23a8f5999f405d37b to your computer and use it in GitHub Desktop.
050-disable-intercept-host-header-forgery-5.4_1-3.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- src/client_side_request.cc 2022-02-07 08:46:21.000000000 +0200 | |
+++ src/client_side_request.cc 2022-02-09 11:58:02.295721457 +0200 | |
@@ -519,40 +519,50 @@ | |
ClientRequestContext *c = static_cast<ClientRequestContext*>(data); | |
c->hostHeaderIpVerify(ia, dns); | |
} | |
void | |
ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const Dns::LookupDetails &dns) | |
{ | |
Comm::ConnectionPointer clientConn = http->getConn()->clientConnection; | |
// note the DNS details for the transaction stats. | |
http->request->recordLookup(dns); | |
// Is the NAT destination IP in DNS? | |
if (ia && ia->have(clientConn->local)) { | |
debugs(85, 3, "validate IP " << clientConn->local << " possible from Host:"); | |
http->request->flags.hostVerified = true; | |
http->doCallouts(); | |
return; | |
} | |
debugs(85, 3, HERE << "FAIL: validate IP " << clientConn->local << " possible from Host:"); | |
+ if (http->request->flags.intercepted || http->request->flags.interceptTproxy) { | |
+ if (!Config.onoff.interceptHostStrictVerify && http->request->method == Http::METHOD_CONNECT) { | |
+ debugs(85, 3, "Forcing Host verified for: " << clientConn->local << " possible from Host:" << http->request->effectiveRequestUri()); | |
+ http->request->flags.hostVerified = true; | |
+ http->request->flags.cachable = false; | |
+ http->request->flags.hierarchical = false; | |
+ http->doCallouts(); | |
+ return; | |
+ } | |
+ } | |
hostHeaderVerifyFailed("local IP", "any domain IP"); | |
} | |
void | |
ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) | |
{ | |
// IP address validation for Host: failed. Admin wants to ignore them. | |
// NP: we do not yet handle CONNECT tunnels well, so ignore for them | |
if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) { | |
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection << | |
" (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri()); | |
// NP: it is tempting to use 'flags.noCache' but that is all about READing cache data. | |
// The problems here are about WRITE for new cache content, which means flags.cachable | |
http->request->flags.cachable = false; // MUST NOT cache (for now) | |
// XXX: when we have updated the cache key to base on raw-IP + URI this cacheable limit can go. | |
http->request->flags.hierarchical = false; // MUST NOT pass to peers (for now) | |
// XXX: when we have sorted out the best way to relay requests properly to peers this hierarchical limit can go. | |
http->doCallouts(); | |
return; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- src/SquidConfig.h 2022-02-07 08:46:21.000000000 +0200 | |
+++ src/SquidConfig.h 2022-02-09 11:58:12.640801309 +0200 | |
@@ -323,40 +323,41 @@ | |
int cache_miss_revalidate; | |
int emailErrData; | |
int httpd_suppress_version_string; | |
int global_internal_static; | |
int collapsed_forwarding; | |
#if FOLLOW_X_FORWARDED_FOR | |
int acl_uses_indirect_client; | |
int delay_pool_uses_indirect_client; | |
int log_uses_indirect_client; | |
#if LINUX_NETFILTER | |
int tproxy_uses_indirect_client; | |
#endif | |
#endif /* FOLLOW_X_FORWARDED_FOR */ | |
int WIN32_IpAddrChangeMonitor; | |
int memory_cache_first; | |
int memory_cache_disk; | |
int hostStrictVerify; | |
int client_dst_passthru; | |
+ int interceptHostStrictVerify; | |
int dns_mdns; | |
#if USE_OPENSSL | |
bool logTlsServerHelloDetails; | |
#endif | |
} onoff; | |
int64_t shared_transient_entries_limit; | |
int pipeline_max_prefetch; | |
int forward_max_tries; | |
int connect_retries; | |
class ACL *aclList; | |
struct { | |
acl_access *http; | |
acl_access *adapted_http; | |
acl_access *icp; | |
acl_access *miss; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- src/cf.data.pre 2022-02-07 08:46:21.000000000 +0200 | |
+++ src/cf.data.pre 2022-02-09 11:58:26.136905483 +0200 | |
@@ -2914,40 +2914,56 @@ | |
With NAT or TPROXY intercepted traffic Squid may pass the request | |
directly to the original client destination IP or seek a faster | |
source using the HTTP Host header. | |
Using Host to locate alternative servers can provide faster | |
connectivity with a range of failure recovery options. | |
But can also lead to connectivity trouble when the client and | |
server are attempting stateful interactions unaware of the proxy. | |
This option (on by default) prevents alternative DNS entries being | |
located to send intercepted traffic DIRECT to an origin server. | |
The clients original destination IP and port will be used instead. | |
Regardless of this option setting, when dealing with intercepted | |
traffic Squid will verify the Host: header and any traffic which | |
fails Host verification will be treated as if this option were ON. | |
see host_verify_strict for details on the verification process. | |
DOC_END | |
+NAME: intercept_host_strict_verify | |
+TYPE: onoff | |
+DEFAULT: off | |
+LOC: Config.onoff.interceptHostStrictVerify | |
+DOC_START | |
+ Disable host_verify_strict for NAT or TPROXY intercepted traffic. | |
+DOC_END | |
+ | |
+NAME: intercept_host_strict_verify | |
+TYPE: onoff | |
+DEFAULT: off | |
+LOC: Config.onoff.interceptHostStrictVerify | |
+DOC_START | |
+ Disable host_verify_strict for NAT or TPROXY intercepted traffic. | |
+DOC_END | |
+ | |
COMMENT_START | |
TLS OPTIONS | |
----------------------------------------------------------------------------- | |
COMMENT_END | |
NAME: tls_outgoing_options | |
IFDEF: USE_GNUTLS||USE_OPENSSL | |
TYPE: securePeerOptions | |
DEFAULT: min-version=1.0 | |
LOC: Security::ProxyOutgoingConfig | |
DOC_START | |
disable Do not support https:// URLs. | |
cert=/path/to/client/certificate | |
A client X.509 certificate to use when connecting. | |
key=/path/to/client/private_key | |
The private key corresponding to the cert= above. | |
If key= is not specified cert= is assumed to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment