Overwrite an URL containing an IP when it is requested with a custom Host header

classic Classic list List threaded Threaded
5 messages Options
jl
Reply | Threaded
Open this post in threaded view
|

Overwrite an URL containing an IP when it is requested with a custom Host header

jl
Hi,

It's possible to configure Squid to overwrite an URL containing an IP when
it is requested with a custom Host header passed by the client when the Host
header resolves to the IP in the URL?

For example for this:
curl -v -k -x IP:PORT http://34.201.191.134/headers -H "Host: httpbin.org"

to return:

"headers": {
  "Accept": "*/*",
  "Host": "httpbin.org",
  "User-Agent": "curl/7.58.0"
}

instead of:

"headers": {
  "Accept": "*/*",
  "Host": "34.201.191.134",
  "If-Modified-Since": "Wed, 16 Oct 2019 16:08:42 GMT",
  "User-Agent": "curl/7.58.0"
}

Or for this:
curl -v -k -x IP:PORT http://192.121.151.106/doc/search/ -H "Host:
erlang.org"

to return "HTTP/1.1 200 OK" instead of "HTTP/1.1 404 Not Found"

Thanks.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Overwrite an URL containing an IP when it is requested with a custom Host header

Alex Rousskov
On 10/16/19 1:12 PM, jl wrote:

> It's possible to configure Squid to overwrite an URL containing an IP when
> it is requested with a custom Host header passed by the client when the Host
> header resolves to the IP in the URL?

You can probably accomplish the above using a URL rewriting helper or an
adaptation service. Those things can receive requested headers, do DNS
lookups, and rewrite URLs as needed.

If the IP and host values can be hard-coded into Squid configuration,
then it might be possible to accomplish what you want using Squid
configuration alone (e.g., via a dedicated cache_peer originserver
setting), but I am not sure.

Alex.


> For example for this:
> curl -v -k -x IP:PORT http://34.201.191.134/headers -H "Host: httpbin.org"
>
> to return:
>
> "headers": {
>   "Accept": "*/*",
>   "Host": "httpbin.org",
>   "User-Agent": "curl/7.58.0"
> }
>
> instead of:
>
> "headers": {
>   "Accept": "*/*",
>   "Host": "34.201.191.134",
>   "If-Modified-Since": "Wed, 16 Oct 2019 16:08:42 GMT",
>   "User-Agent": "curl/7.58.0"
> }
>
> Or for this:
> curl -v -k -x IP:PORT http://192.121.151.106/doc/search/ -H "Host:
> erlang.org"
>
> to return "HTTP/1.1 200 OK" instead of "HTTP/1.1 404 Not Found"
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Overwrite an URL containing an IP when it is requested with a custom Host header

Amos Jeffries
Administrator
On 17/10/19 7:20 am, Alex Rousskov wrote:

> On 10/16/19 1:12 PM, jl wrote:
>
>> It's possible to configure Squid to overwrite an URL containing an IP when
>> it is requested with a custom Host header passed by the client when the Host
>> header resolves to the IP in the URL?
>
> You can probably accomplish the above using a URL rewriting helper or an
> adaptation service. Those things can receive requested headers, do DNS
> lookups, and rewrite URLs as needed.
>
> If the IP and host values can be hard-coded into Squid configuration,
> then it might be possible to accomplish what you want using Squid
> configuration alone (e.g., via a dedicated cache_peer originserver
> setting), but I am not sure.
>
> Alex.
>
>
>> For example for this:
>> curl -v -k -x IP:PORT http://34.201.191.134/headers -H "Host: httpbin.org"
>>
>> to return:
>>
>> "headers": {
>>   "Accept": "*/*",
>>   "Host": "httpbin.org",
>>   "User-Agent": "curl/7.58.0"
>> }
>>
>> instead of:
>>
>> "headers": {
>>   "Accept": "*/*",
>>   "Host": "34.201.191.134",
>>   "If-Modified-Since": "Wed, 16 Oct 2019 16:08:42 GMT",
>>   "User-Agent": "curl/7.58.0"
>> }

Please be aware that a client sending that combination of absolute-URL
and mismatching Host header is one of three things:

 1) a malware attack

 2) broken client software

 3) a proxy attempting to avoid producing errors while still protecting
against the above. eg interception proxy receiving suspected
CVE-2009-0801 attack traffic.


>>
>> Or for this:
>> curl -v -k -x IP:PORT http://192.121.151.106/doc/search/ -H "Host:
>> erlang.org"
>>
>> to return "HTTP/1.1 200 OK" instead of "HTTP/1.1 404 Not Found"

That one is not a good idea. The origin server is producing that 404,
nothing to do with Squid.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
jl
Reply | Threaded
Open this post in threaded view
|

Re: Overwrite an URL containing an IP when it is requested with a custom Host header

jl
Thanks both for your replies.

>>> Or for this:
>>> curl -v -k -x IP:PORT http://192.121.151.106/doc/search/ -H "Host:
>>> erlang.org"
>>>
>>> to return "HTTP/1.1 200 OK" instead of "HTTP/1.1 404 Not Found" >

>That one is not a good idea. The origin server is producing that 404,
>nothing to do with Squid.

But in this case the Host header resolves to the IP in the URL and if we
simply do `curl -v -k -x IP:PORT http://erlang.org/doc/search/` it returns a
"HTTP/1.1 200 OK". Shouldn't be possible for Squid to use the Host header
instead of the IP in such cases and not rewriting the Host header with the
IP? Or such behavior would go against the RFC 7230 (HTTP/1.1):

   When a proxy receives a request with an absolute-form of
   request-target, the proxy MUST ignore the received Host header field
   (if any) and instead replace it with the host information of the
   request-target.  A proxy that forwards such a request MUST generate a
   new Host field-value based on the received request-target rather than
   forward the received Host field-value

?

Thanks.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Overwrite an URL containing an IP when it is requested with a custom Host header

Amos Jeffries
Administrator
On 17/10/19 11:33 pm, jl wrote:

> Thanks both for your replies.
>
>>>> Or for this:
>>>> curl -v -k -x IP:PORT http://192.121.151.106/doc/search/ -H "Host:
>>>> erlang.org"
>>>>
>>>> to return "HTTP/1.1 200 OK" instead of "HTTP/1.1 404 Not Found" >
>
>> That one is not a good idea. The origin server is producing that 404,
>> nothing to do with Squid.
>
> But in this case the Host header resolves to the IP in the URL and if we
> simply do `curl -v -k -x IP:PORT http://erlang.org/doc/search/` it returns a
> "HTTP/1.1 200 OK". Shouldn't be possible for Squid to use the Host header
> instead of the IP in such cases and not rewriting the Host header with the
> IP? Or such behavior would go against the RFC 7230 (HTTP/1.1):
>
>    When a proxy receives a request with an absolute-form of
>    request-target, the proxy MUST ignore the received Host header field
>    (if any) and instead replace it with the host information of the
>    request-target.  A proxy that forwards such a request MUST generate a
>    new Host field-value based on the received request-target rather than
>    forward the received Host field-value
>
> ?

It leads to issues like this one:
 <http://www.squid-cache.org/Advisories/SQUID-2011_1.txt>
(but in a way that does not require interception to trigger.)

side-effects of those type of vulnerability are cache injection, network
hijacking, cross-site scripting, the cited same-origin bypass, and the
source of the problems being granted anonymity.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users