"intercepted port does not match 443"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"intercepted port does not match 443"

Matus UHLAR - fantomas
Hello,

we have intercepting squid on one router and these messages started appear
sometimes:

2020/05/11 13:41:23 kid1| SECURITY ALERT: Host header forgery detected on local=[XXX]:80 remote=192.168.1.224:1040 FD 69 flags=33 (intercepted port does not match 443)
2020/05/11 13:41:23 kid1| SECURITY ALERT: By user agent: Microsoft BITS/6.7
2020/05/11 13:41:23 kid1| SECURITY ALERT: on URL: armmf.adobe.com:443
2020/05/11 13:41:23 kid1| kick abandoning local=[XXX]:80 remote=192.168.1.224:1040 FD 69 flags=33

I am aware of possible interception issues but what exactly does this
message mean?  The original destination port is 80, why does squid complain
about it not being port 443?

the iptable rules:

Chain PREROUTING (policy ACCEPT 1759K packets, 217M bytes)
 pkts bytes target     prot opt in     out     source               destination
37068 1966K REDIRECT   tcp  --  lan0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8888

thanks.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: "intercepted port does not match 443"

Amos Jeffries
Administrator
On 12/05/20 1:01 am, Matus UHLAR - fantomas wrote:

> Hello,
>
> we have intercepting squid on one router and these messages started appear
> sometimes:
>
> 2020/05/11 13:41:23 kid1| SECURITY ALERT: Host header forgery detected
> on local=[XXX]:80 remote=192.168.1.224:1040 FD 69 flags=33 (intercepted
> port does not match 443)
> 2020/05/11 13:41:23 kid1| SECURITY ALERT: By user agent: Microsoft BITS/6.7
> 2020/05/11 13:41:23 kid1| SECURITY ALERT: on URL: armmf.adobe.com:443
> 2020/05/11 13:41:23 kid1| kick abandoning local=[XXX]:80
> remote=192.168.1.224:1040 FD 69 flags=33
>
> I am aware of possible interception issues but what exactly does this
> message mean?  The original destination port is 80, why does squid complain
> about it not being port 443?

The HTTP Host header says the client was connecting to a server on port
443. Yet the TCP packets came, as you say from port 80.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users