Header forgery detected

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Header forgery detected

Darren Breeze-2

Hi All

I am trying to set up squid 3.5 (have to stick with this version) to intercept and https bump / splice, it's all working OK with the exception of some elements of a https site failing to load (the browser just shows "failed"). matched with the failures, I see this type of message in the cache log. 

2019/11/08 17:39:46 kid1| SECURITY ALERT: Host header forgery detected on local=23.213.186.14:443 remote=172.16.3.250:57041 FD 28 flags=33 (local IP does not match any domain IP)
2019/11/08 17:39:46 kid1| SECURITY ALERT: on URL: static1.squarespace.com:443

172.16.3.250 is the clients PC address. 

doing a lookup on the hostname returns

root@cbuild:~/build/ksn-boot/cmake-build-debug/bin# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> static1.squarespace.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
static1.squarespace.com canonical name = prod.squarespace.map.fastly.net.
Name:   prod.squarespace.map.fastly.net
Address: 151.101.0.238
Name:   prod.squarespace.map.fastly.net
Address: 151.101.64.238
Name:   prod.squarespace.map.fastly.net
Address: 151.101.128.238
Name:   prod.squarespace.map.fastly.net
Address: 151.101.192.238

so the address is different and points to a CDN endpoint 

14.186.213.23.in-addr.arpa      name = a23-213-186-14.deploy.static.akamaitechnologies.com.


The host is ubuntu 18.04 and both squid and the client are using the DNS on the squid box. 

Can anyone please point me where I need to start looking

thanks in advance

Darren B.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Header forgery detected

Amos Jeffries
Administrator
On 9/11/19 6:53 am, Darren Breeze wrote:
>
>
> The host is ubuntu 18.04 and both squid and the client are using the DNS
> on the squid box.

Well, apparently not. Because the client thinks the domain is hosted
somewhere (Akamai) contrary to what the DNS records say (Fastly).

>
> Can anyone please point me where I need to start looking
>

Next step for me would be to start at the client end of things. Very
carefully to see where it is actually getting the IP address for that
domain from.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Header forgery detected

Matus UHLAR - fantomas
In reply to this post by Darren Breeze-2
On 09.11.19 06:53, Darren Breeze wrote:
>I am trying to set up squid 3.5 (have to stick with this version)
why?

> to intercept and https bump / splice,
squid 3 has problems with bumping/splicing that are fixed in squid4...

> it's all working OK with the exception of some elements of a https site failing to load (the browser just shows "failed"). matched with the failures, I see this type of message in the cache log.
>
>2019/11/08 17:39:46 kid1| SECURITY ALERT: Host header forgery detected on local=23.213.186.14:443 remote=172.16.3.250:57041 FD 28 flags=33 (local IP does not match any domain IP)

seems you are trying to intercept by doing DNAT on remote machine, which
causes this problem.

https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery

you must use ip policy routing or WCCP when interceptin outside of squid
machine:

https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Requirements_and_methods_for_Interception_Caching

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Header forgery detected

Darren Breeze-2
In reply to this post by Amos Jeffries

Thank You Amos

There was a second DHCP service on that network handing out conflicting DNS data. Once that was stopped, everything worked as expected.



Darren B.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users