SECURITY ALERT: Host header forgery detected

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SECURITY ALERT: Host header forgery detected

Martin Hanson
So I finally got the whitelist working, but now every other box on the "localnet", when trying to access the whitelist, gets a:

2018/05/14 07:40:18 kid1| SECURITY ALERT: on URL: www.ubuntu.com:443
2018/05/14 07:40:18 kid1| SECURITY ALERT: Host header forgery detected on local=91.189.89.118:443 remote=192.168.1.4:43354 FD 23 flags=33 (local IP does not match any domain IP)

The config file as before:

<SNIP>
max_filedesc 4096

acl step1 at_step SslBump1

acl localnet src 192.168.1.0/24

# These boxes may ONLY access the whitelist.
acl windows_boxes src 192.168.1.201 192.168.1.202

acl whitelist ssl::server_name .mojang.com .minecraft.net d2pi0bc9ewx28h.cloudfront.net mcupdate.tumblr.com minecraft-textures-1196058387.us-east-1.elb.amazonaws.com .steampowered.com .steamcommunity.com .steamgames.com .steamusercontent.com .steamcontent.com .steamstatic.com .akamaihd.net .launchpad.net .streamlabs.com .ubuntu.com

# We don't want these to be cached.
store_miss deny whitelist

# Don't let SquidGuard do anything with the whitelisted domains.
url_rewrite_access deny whitelist

# We only redirect HTTP and HTTPS.
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# We need this for the whitelist for the windows boxes because
# requests are blocked during SslBump step1 because there is not
# enough information in the fake CONNECT request for ssl::server_name
# to match domains in the whitelist.
http_access allow CONNECT step1

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Windows boxes are only allowed access to the whitelist.
http_access allow windows_boxes whitelist
http_access deny windows_boxes

http_access allow localhost
http_access allow localnet

http_access deny all

# We'll intercept trafic using PF from clan.
http_port 127.0.0.1:3129 intercept
https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslproxy_cafile /usr/local/openssl/cabundle.file

# Become a TCP tunnel without decrypting proxied traffic for the whitelist.
ssl_bump splice whitelist
ssl_bump peek step1 all
ssl_bump bump all

# We want the query strings as well.
strip_query_terms off

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
</SNIP>

What am I missing now?

Kind regards.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SOLVED - SECURITY ALERT: Host header forgery detected

Martin Hanson
> So I finally got the whitelist working, but now every other box on the "localnet", when trying to access the whitelist, gets a:
>
> 2018/05/14 07:40:18 kid1| SECURITY ALERT: on URL: www.ubuntu.com:443
> 2018/05/14 07:40:18 kid1| SECURITY ALERT: Host header forgery detected on local=91.189.89.118:443 remote=192.168.1.4:43354 FD 23 flags=33 (local IP does not match any domain IP)

I made a mistake..

".. ensure that the DNS servers Squid uses are the same as those used by the client(s)"

Fixed.

Kind regards.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SOLVED - SECURITY ALERT: Host header forgery detected

Eliezer Croitoru
Hey Martin,

Technically there should be a way to inform Squid-Cache about multiple addresses for the same destination.
If Squid doesn't know that it's a real IP of the domains a partial solution is to use the same DNS service but it can also be something else.
For example there should be a way\option for squid to decide if this address of the client or server is secured.

Amos what do you think?
Can a Host header forgery detection override acl be added? Should it be added?
I believe that  if there are some properties to the remote certificate we can flag the service as "Secure"
IE if the OS runs a "openssl s_client -host www.ubuntnu.com -connect 91.189.89.118:443
 And the certificate is fine then... it's there is no place for any SECURITY ALERT.

I believe that a simple ACL addition which will depend on an external acl helper could be a good option.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Martin Hanson
Sent: Monday, May 14, 2018 09:00
To: [hidden email]
Subject: Re: [squid-users] SOLVED - SECURITY ALERT: Host header forgery detected

> So I finally got the whitelist working, but now every other box on the "localnet", when trying to access the whitelist, gets a:
>
> 2018/05/14 07:40:18 kid1| SECURITY ALERT: on URL: www.ubuntu.com:443
> 2018/05/14 07:40:18 kid1| SECURITY ALERT: Host header forgery detected on local=91.189.89.118:443 remote=192.168.1.4:43354 FD 23 flags=33 (local IP does not match any domain IP)

I made a mistake..

".. ensure that the DNS servers Squid uses are the same as those used by the client(s)"

Fixed.

Kind regards.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SOLVED - SECURITY ALERT: Host header forgery detected

Amos Jeffries
Administrator
On 16/05/18 02:02, Eliezer Croitoru wrote:

> Hey Martin,
>
> Technically there should be a way to inform Squid-Cache about multiple addresses for the same destination.
> If Squid doesn't know that it's a real IP of the domains a partial solution is to use the same DNS service but it can also be something else.
> For example there should be a way\option for squid to decide if this address of the client or server is secured.
>
> Amos what do you think?
> Can a Host header forgery detection override acl be added? Should it be added?
> I believe that  if there are some properties to the remote certificate we can flag the service as "Secure"
> IE if the OS runs a "openssl s_client -host www.ubuntnu.com -connect 91.189.89.118:443
>  And the certificate is fine then... it's there is no place for any SECURITY ALERT.

A malicious actor would simply forward the TLS handshake to the real
server they are spoofing. Same way Squid does for SSL-Bump.

The counter argument of not sending SNI to that suspicious server will
have failures with these exact same mega-corp services. Think
foo.example.com hosted on Google hosting where the generic server cert
is "foo.1e1.net" not "foo.example.com", nor even google.com".


The "problem" that needs to be resolved is simply that the genuine
servers do not have a reliable match between their IP and client
presented domain name(s).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SOLVED - SECURITY ALERT: Host header forgery detected

Eliezer Croitoru
Amos,

And this issue is kind of big\mega corp services or CDN services.
Now I am really not sure I understand what this security host forgery is about.
There are couple cases:
- Simple forward proxy with ssl-bump which no header forgery should ever happen when the client requests for a specific domain and no IP
- Intercept proxy  with ssl-bump enabled that has no SNI host
- Intercept proxy with ssl-bump enabled that has SNI and squid passes the clients SNI host

Which one of the above is this specific case?
And if there are other cases it's good to list them and I will try to wiki these details.

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Tuesday, May 15, 2018 21:28
To: [hidden email]
Subject: Re: [squid-users] SOLVED - SECURITY ALERT: Host header forgery detected

On 16/05/18 02:02, Eliezer Croitoru wrote:

> Hey Martin,
>
> Technically there should be a way to inform Squid-Cache about multiple addresses for the same destination.
> If Squid doesn't know that it's a real IP of the domains a partial solution is to use the same DNS service but it can also be something else.
> For example there should be a way\option for squid to decide if this address of the client or server is secured.
>
> Amos what do you think?
> Can a Host header forgery detection override acl be added? Should it be added?
> I believe that  if there are some properties to the remote certificate we can flag the service as "Secure"
> IE if the OS runs a "openssl s_client -host www.ubuntnu.com -connect 91.189.89.118:443
>  And the certificate is fine then... it's there is no place for any SECURITY ALERT.

A malicious actor would simply forward the TLS handshake to the real
server they are spoofing. Same way Squid does for SSL-Bump.

The counter argument of not sending SNI to that suspicious server will
have failures with these exact same mega-corp services. Think
foo.example.com hosted on Google hosting where the generic server cert
is "foo.1e1.net" not "foo.example.com", nor even google.com".


The "problem" that needs to be resolved is simply that the genuine
servers do not have a reliable match between their IP and client
presented domain name(s).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users