[squid-users] host header forgery check in docker environment
Hello, I am hitting this issue when running squid in a docker with ssl parent cache_peer. Host header forgery detected on local=11 72.19.0.2:443 remote= 172.19.0.1:44522 FD 15 flags=33 (local IP does not match any domain IP) The host ip of the docker would not resolve to a domain. How to work-around this problem? *- Kedar* ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] host header forgery check in docker environment
Hi Amos, Here is the topology: client (curl from host running docker) --> squid_child (docker, using ssl-bump with intercept) --> squid_parent (VM with internet connection, https_port without ssl-bump) --> origin server. local - 72.19.0.2:443 is the container running squid child remote - remote=172.19.0.1:44522 is the host machine where containers are running, I am using a curl to do initial tests. Eventually, request would come from other containers or external hosts on the docker daemon host. With http traffic this works fine; wherein the request is forwarded to Parent and then to origin server. However, with https header forgery kicks in and tls is terminated. - Kedar On Mon, Jun 18, 2018 at 9:44 AM Amos Jeffries wrote: > On 18/06/18 02:08, Kedar K wrote: > > Hello, > > > > I am hitting this issue when running squid in a docker with ssl parent > > cache_peer. > > > > Can you describe that a bit clearer please? An end-client, two proxies > and origin server makes four HTTP agents involved with this traffic. > > Which of those proxies (and/or server) is inside the container? > > And how are you getting the traffic from the client to the first proxy? > > > > Host header forgery detected on local=11 72.19.0.2:443 > > remote=172.19.0.1:44522 > > FD 15 flags=33 (local IP does not match any domain IP) > > > > The host ip of the docker would not resolve to a domain. How to > > work-around this problem? > > The agent being client for the proxy reporting this message apparently > thinks there is a origin server running at "72.19.0.2:443" hosting some > domain name. They are trying to contact that origin server. > > > > Amos > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- *- Kedar Kekan* ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] store_id_extras to access request header
Hi, I tried to get the request header to store id helper with %>h option for store_id_extras; However, I get a '-' (and the default k-v pairs intact) Is this expected behaviour? Wouldn't request header be available before sending a query to store-id helper? My use case was to pass custom fields either as part of URL (append at the end) or request header. Is it possible to use combination of store_id_program helper and rewrite_url_program; such that the extra params from the url are used by store-id helper to create a store-id and then the url_rewrite program can strip them off before sending the request to origin server? -- *- Kedar* ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] store_id_extras to access request header
additional note: I do see both request and response header in access.log though. On Wed, Jul 11, 2018 at 11:29 AM Kedar K wrote: > Hi, > I tried to get the request header to store id helper > with %>h option for store_id_extras; However, I get a '-' (and the default > k-v pairs intact) > > Is this expected behaviour? Wouldn't request header be available before > sending a query to store-id helper? > > My use case was to pass custom fields either as part of URL (append at > the end) or request header. > > Is it possible to use combination of store_id_program helper and > rewrite_url_program; such that the extra params from the url are used by > store-id helper to create a store-id and then the url_rewrite program can > strip them off before sending the request to origin server? > > > -- > > *- Kedar* > -- *- Kedar Kekan* ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] store_id_extras to access request header
It worked with a combination of store-id helper and url rewriter. - Kedar On Wed, Jul 11, 2018 at 11:42 AM Kedar K wrote: > additional note: > I do see both request and response header in access.log though. > > On Wed, Jul 11, 2018 at 11:29 AM Kedar K wrote: > >> Hi, >> I tried to get the request header to store id helper >> with %>h option for store_id_extras; However, I get a '-' (and the >> default k-v pairs intact) >> >> Is this expected behaviour? Wouldn't request header be available before >> sending a query to store-id helper? >> >> My use case was to pass custom fields either as part of URL (append at >> the end) or request header. >> >> Is it possible to use combination of store_id_program helper and >> rewrite_url_program; such that the extra params from the url are used by >> store-id helper to create a store-id and then the url_rewrite program can >> strip them off before sending the request to origin server? >> >> >> -- >> >> *- Kedar* >> > > > -- > > *- Kedar Kekan* > -- *- Kedar Kekan* ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] store_id_extras to access request header
That was a false alarm; it actually cached only the redirected url and the key generated by store-id helper was not used. On Wed, Jul 11, 2018 at 2:49 PM Kedar K wrote: > It worked with a combination of store-id helper and url rewriter. > > - Kedar > > On Wed, Jul 11, 2018 at 11:42 AM Kedar K wrote: > >> additional note: >> I do see both request and response header in access.log though. >> >> On Wed, Jul 11, 2018 at 11:29 AM Kedar K wrote: >> >>> Hi, >>> I tried to get the request header to store id helper >>> with %>h option for store_id_extras; However, I get a '-' (and the >>> default k-v pairs intact) >>> >>> Is this expected behaviour? Wouldn't request header be available before >>> sending a query to store-id helper? >>> >>> My use case was to pass custom fields either as part of URL (append at >>> the end) or request header. >>> >>> Is it possible to use combination of store_id_program helper and >>> rewrite_url_program; such that the extra params from the url are used by >>> store-id helper to create a store-id and then the url_rewrite program can >>> strip them off before sending the request to origin server? >>> >>> >>> -- >>> >>> *- Kedar* >>> >> >> >> -- >> >> *- Kedar Kekan* >> > > > -- > > *- Kedar Kekan* > -- *- Kedar Kekan* ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] store_id_extras to access request header
With following config to access request header; store_id_extras "%>h %>a/%>A %un %>rm myip=%la myport=%lp" the store_id_extras does not seem to forward header info. Is there something that I might be missing? Again, I see the header in access.log; However the same is missing from the data send to store-id helper. On Wed, Jul 11, 2018 at 3:29 PM Kedar K wrote: > That was a false alarm; it actually cached only the redirected url and the > key generated by store-id helper was not used. > > On Wed, Jul 11, 2018 at 2:49 PM Kedar K wrote: > >> It worked with a combination of store-id helper and url rewriter. >> >> - Kedar >> >> On Wed, Jul 11, 2018 at 11:42 AM Kedar K wrote: >> >>> additional note: >>> I do see both request and response header in access.log though. >>> >>> On Wed, Jul 11, 2018 at 11:29 AM Kedar K >>> wrote: >>> >>>> Hi, >>>> I tried to get the request header to store id helper >>>> with %>h option for store_id_extras; However, I get a '-' (and the >>>> default k-v pairs intact) >>>> >>>> Is this expected behaviour? Wouldn't request header be available before >>>> sending a query to store-id helper? >>>> >>>> My use case was to pass custom fields either as part of URL (append at >>>> the end) or request header. >>>> >>>> Is it possible to use combination of store_id_program helper and >>>> rewrite_url_program; such that the extra params from the url are used by >>>> store-id helper to create a store-id and then the url_rewrite program can >>>> strip them off before sending the request to origin server? >>>> >>>> >>>> -- >>>> >>>> *- Kedar* >>>> >>> >>> >>> -- >>> >>> >>> >> >> -- >> >> >> ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Problems with peek and slice through parent proxy
On Wed, Jul 11, 2018 at 7:03 PM Hess, Niklas wrote: > Hello list, > > > > I´m setting up a Squid proxy specifically to scan the incoming traffic > from a cloud platform. > > ClamAV should scan the incoming traffic. > > > > So far so good. > > > > The cloud uses WebDAV over HTTPS, so I have to SSL-Bump the incoming > traffic via Peek and Splice Feature. > > That works indeed with the CA signed internal Certificate. > > > > But as soon as I add a cache_peer as a “parent proxy” it does not work. > (This request could not be forwarded to the origin server or to any parent > caches.) > > I just get “FwdState.cc(813) connectStart: fwdConnectStart: Ssl bumped > connections through parent proxy are not allowed” in the cache.log > > > > And yes I know ssl-bump through a parent proxy is an security issue and > might be unsecure, but the connection to the parent is internal, save and > secure. > > I don’t know how, but could there be a way to “comment out” the section in > fwdConnectStart source file? > > > > Squid Cache: Version 3.5.27 > > Service Name: squid > > configure options: '--with-openssl' '--enable-ssl-crtd' > > > > > > Here´s my “minimal” SSL-Bump config: > > > > ### Start config > > > > debug_options ALL,6 > > shutdown_lifetime 1 seconds > > > > http_port 8080 ssl-bump cert=/usr/local/squid/etc/ssl_cert/Squidtest.pem > generate-host-certificates=on dynamic_cert_mem_cache_size=4MB > > > > sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB > > sslcrtd_children 25 startup=5 idle=10 > > > > cache_peer 10.106.3.66 parent 8080 0 no-query no-digest name=parent > > > > never_direct allow all > > > > sslproxy_cert_error allow all > > sslproxy_flags DONT_VERIFY_PEER > > > > ssl_bump bump all > Did you forget to copy at_step acls? acl step1 at_step SslBump1 acl step2 at_step SslBump2 acl step3 at_step SslBump3 > > > http_access allow all > > > > > > ### End config > > > > Thanks for any help! > > Niklas > > > > Azubi Niklas Hess > *Team Applikation-Management* > > *Eigenbetrieb Informationstechnologie des Wetteraukreises* > 61169 Friedberg > Europaplatz > Gebäude B > Tel.: 06031 83-6526 > Mobil: > Fax.: 06031 83-916526 > www.wetteraukreis.de > > Informationen zum Datenschutz erhalten sie über unsere Datenschutzseite > www.datenschutz.wetterau.de > Diese E-Mail enth > ält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie > nicht der richtige Adressat sind, informieren Sie bitte sofort den Absender > und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die > unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- - Kedar ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] store_id_extras to access request header
On Wed, Jul 11, 2018 at 8:37 PM Alex Rousskov < rouss...@measurement-factory.com> wrote: > On 07/10/2018 11:59 PM, Kedar K wrote: > > > I tried to get the request header to store id helper > > with %>h option for store_id_extras; However, I get a '-' > > > store_id_extras "%>h %>a/%>A %un %>rm myip=%la myport=%lp" > > > Is this expected behaviour? > > No, it is not expected. Consider filing a bug report with Squid bugzilla > and, if possible, attach an ALL,9 cache.log while reproducing the > problem with a single wget or curl transaction. Please do not forget to > specify your Squid version. > > If you can reproduce the problem with Squid v4 or v5, please mention > that as well. Thank you Alex; yes it seems a bug; tested with both store_id & url_rewrite extras. Either of them send blank headers. BTW I am using version 3.5.20 I will test with ALL,9 and report the bug. > > > > Wouldn't request header be available before > > sending a query to store-id helper? > > Yes, request headers are available at Store ID calculation time. > > > > Is it possible to use combination of store_id_program helper and > > rewrite_url_program; such that the extra params from the url are used by > > store-id helper to create a store-id and then the url_rewrite program > > can strip them off before sending the request to origin server? > > That plan would not work because the Store ID helper is consulted after > the URL rewriter: > https://wiki.squid-cache.org/SquidFaq/OrderIsImportant#Callout_Sequence > > this makes it clear now > > Using custom headers is a much simpler/cleaner solution IMO. > > Agree > > HTH, > > Alex. > -- - Kedar ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users