Squid proxy will forward message with 'alternating host header' but logs another?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid proxy will forward message with 'alternating host header' but logs another?

Mark Bergman
Can i stop squid from 'repairing' host headers?
I've been all over this for hours, I can only lead this back to this change in 1999 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=50292

I wan't this sample code to do trough squid what it would do without a proxy at all and i want squid to log the host header set by the sample code.

```
import requests

proxies = {'http': 'http://10.0.0.4:8080',}
headers = {"Host":"someevilhost.appspot.com","Tester":"xychix",}

s = requests.Session()
#### proxy is set OFF
s.proxies = proxies
r = s.get('http://www.google.com/',headers=headers)

print(r.status_code)
print(r.text[:80])
```

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy will forward message with 'alternating host header' but logs another?

Amos Jeffries
Administrator
On 31/10/19 8:48 pm, Mark Bergman wrote:
> Can i stop squid from 'repairing' host headers?

Yes.

For context:

RFC 7230 :

"If the target URI includes an authority component, then a
   client MUST send a field-value for Host that is identical to that
   authority component"

"If the target URI includes an authority component, then a
   client MUST send a field-value for Host that is identical to that
   authority component"

"A server MUST respond with a 400 (Bad Request) status code to any
   HTTP/1.1 request message that ... contains ... a
   Host header field with an invalid field-value."


When the host_verify_strict directive is set to "on" then Squid will
produce a 4XX status code to any traffic received with invalid Host
headers. A Host header that conflicts with info in the URL is always
invalid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy will forward message with 'alternating host header' but logs another?

Mark Bergman
reincluded the list for completeness and archiving.

We're building a setup where I want to be able to find domain fronting [https://en.wikipedia.org/wiki/Domain_fronting] attempts in the logs

used test script:
import requests
proxies = {'http': 'http://10.0.0.4:8080',}
headers = {"Host":"someevilhost.appspot.com","Orig-Host":"someevilhost.appspot.com"}
s = requests.Session()
s.proxies = proxies
r = s.get('http://www.google.com/',headers=headers)
print(r.status_code)
print(r.text[:80])

my loglines keep showing www.google.com in the host header regardless of how I set my config. Current config (as added in my pfsense setup)
host_verify_strict on
strip_query_terms off
client_dst_passthru off
logformat combined2 %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh "%>h"
access_log tcp://10.1.2.15:1025 combined2
#access_log /var/squid/logs/combined2 

example log line:
10.1.2.15 - - [31/Oct/2019:11:42:53 +0000] "GET http://www.google.com/ HTTP/1.1" 200 6261 "-" "python-requests/2.9.1" TCP_MISS:HIER_DIRECT "User-Agent: python-requests/2.9.1\r\nAccept: */*\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nOrig-Host: someevilhost.appspot.com\r\nHost: www.google.com\r\n" 

I'm looking for a  way to have Squid log the original request, whatever it does after that is for this particular test less important (/dev/null or out to the internet.. both are OK for me as long as 'RFC compliant' traffic from the webbrowser does get out and logged).

regards,

Mark

On Thu, Oct 31, 2019 at 12:35 PM Mark Bergman <[hidden email]> wrote:
Ok, so there is no way I can have Squid act as most corporate other proxies (just forward the request without manipulation)?
We are building a setup where we want people to recognise domain fronting from logs.
https://en.wikipedia.org/wiki/Domain_fronting

But as I understand now this technique would never work trough a Squid proxy (if SSL inspection is enabled). Wonder then if there never had been complaints from signal (messaging app) users as they relied on this technology for years :)
We might have to switch to a less RCF compliant proxy for that. 

Any help and suggestions are really appreciated.

Regards,

Mark / xychix


On Thu, Oct 31, 2019 at 10:04 AM Amos Jeffries <[hidden email]> wrote:
On 31/10/19 8:48 pm, Mark Bergman wrote:
> Can i stop squid from 'repairing' host headers?

Yes.

For context:

RFC 7230 :

"If the target URI includes an authority component, then a
   client MUST send a field-value for Host that is identical to that
   authority component"

"If the target URI includes an authority component, then a
   client MUST send a field-value for Host that is identical to that
   authority component"

"A server MUST respond with a 400 (Bad Request) status code to any
   HTTP/1.1 request message that ... contains ... a
   Host header field with an invalid field-value."


When the host_verify_strict directive is set to "on" then Squid will
produce a 4XX status code to any traffic received with invalid Host
headers. A Host header that conflicts with info in the URL is always
invalid.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid proxy will forward message with 'alternating host header' but logs another?

Alex Rousskov
On 10/31/19 7:48 AM, Mark Bergman wrote:
>     logformat combined2 ... %ru ... "%>h"

> example log line:

>     ... http://www.google.com/ ... "...Orig-Host:
>     someevilhost.appspot.com\r\nHost:
>     www.google.com\r\n" 


> I'm looking for a  way to have Squid log the original request

You are already doing the right thing. Squid promises that "%>h" is the
received request header [before any adaptations, including the Host
header rewrites]. There is a bug in Squid that breaks that documentation
promise and makes it impossible to log what you want without changing
Squid code. Quality pull requests fixing that bug (or their sponsorship)
are welcomed.


HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users