RE: [squid-users] https://weather.yahoo.com redirect loop
Don't kill the messenger :) I agree, but had to remove forwarded for and via or I faced blocking and weirdness with several of the services I use. I won't name names cause I don't really want to pursue the debate. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, August 20, 2014 9:39 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] https://weather.yahoo.com redirect loop On 21/08/2014 2:23 p.m., Lawrence Pingree wrote: No, I mean they are intentionally blocking with a configured policy, its not a bug. :) They have signatures that match Via headers and forwarded for headers to determine that it's squid. This is because many hackers are using bounces off open squid proxies to launch web attacks. That still sounds like a bug. Blocking on squid existence makes as much sense as blocking all traffic with UA header containing MSIE on grounds that 90% of web attacks come with that agent string. The content inside those headers is also context specific, signature matching will not work beyond a simple proxy/maybe-proxy determination (which does not even determine non-proxy!). A proposal came up in the IETF a few weeks ago that HTTPS traffic containing Via header should be blocked on sight by all servers. It got booted out on these grounds: * the bad guys are not sending Via. * what Via do exist are being sent by good guys who obey the specs but are othewise literally forced (by law or previous TLS based attacks) to MITM the HTTPS in order to increase security checking on that traffic (ie. AV scanning). Therefore, the existence of Via is actually a sign of *good* health in the traffic and a useful tool for finding culprits behind the well behaved proxies. Rejecting or blocking based on its existence just increases the ratio of nasty traffic which makes it through. While simultaneously forcing the good guys to become indistinguishable from bad guys. Only the bad guys get any actual benefit out of the situation. Basically via off is a bad idea, and broken services (intentional or otherwise) which force it to be used are worse than terrible. Amos
Re: [squid-users] https://weather.yahoo.com redirect loop
On 08/20/2014 10:52 AM, Jatin Bhasin wrote: And when I browse to https://weather.yahoo.com then it goes in redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. Happens in 3.4 series too. I added these in squid.conf as a solution: via off forwarded_for delete Amm
Re: [squid-users] https://weather.yahoo.com redirect loop
Hi, Thanks, for that. It solved for me as well. But does anyone why this loop happens and how does these squid directives resolve the issue? Thanks, Jain On 20 Aug 2014, at 16:16, Amm ammdispose-sq...@yahoo.com wrote: On 08/20/2014 10:52 AM, Jatin Bhasin wrote: And when I browse to https://weather.yahoo.com then it goes in redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. Happens in 3.4 series too. I added these in squid.conf as a solution: via off forwarded_for delete Amm
Re: [squid-users] https://weather.yahoo.com redirect loop
On 08/20/2014 04:06 PM, Jatin Bhasin wrote: Hi, Thanks, for that. It solved for me as well. But does anyone why this loop happens and how does these squid directives resolve the issue? I think only Yahoo can answer that. They seem to send redirect when they find Via and/or X-Forwarded-For headers. I was lazy to find which header exactly but I disabled both anyway. Amm.
RE: [squid-users] https://weather.yahoo.com redirect loop
Personally I have found that the latest generation of Next Generation Firewalls have been doing blocking when they detect a via with a squid header, so I did the same and that way no-one can detect my cache. The key thing you need to make sure is that NAT and redirection doesn't go into a loop so that the cache isn't receiving the packets twice and trying to re-process the requests. -Original Message- From: Amm [mailto:ammdispose-sq...@yahoo.com] Sent: Tuesday, August 19, 2014 11:16 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] https://weather.yahoo.com redirect loop On 08/20/2014 10:52 AM, Jatin Bhasin wrote: And when I browse to https://weather.yahoo.com then it goes in redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. Happens in 3.4 series too. I added these in squid.conf as a solution: via off forwarded_for delete Amm
Re: [squid-users] https://weather.yahoo.com redirect loop
On 21/08/2014 5:08 a.m., Lawrence Pingree wrote: Personally I have found that the latest generation of Next Generation Firewalls have been doing blocking when they detect a via with a squid header, Have you been making bug reports to these vendors? Adding Via header is mandatory in HTTP/1.1 specification, and HTTP proxy is a designed part of the protocol. So any blocking based on the simple existence of a proxy is non-compliance with HTTP itself. That goes for ports 80, 443, 3128, 3130, and 8080 which are all registered for HTTP use. However, if your proxy is emitting Via: 1.1 localhost or Via: 1.1 localhost.localdomain it is broken and may not be blocked so much as rejected for forwarding loop because the NG firewall has a proxy itself on localhost. The Via header is generated from visible_hostname (or the OS hostname lookup) and supposed to contain the visible public FQDN of the each server the message relayed through. Amos
RE: [squid-users] https://weather.yahoo.com redirect loop
No, I mean they are intentionally blocking with a configured policy, its not a bug. :) They have signatures that match Via headers and forwarded for headers to determine that it's squid. This is because many hackers are using bounces off open squid proxies to launch web attacks. -Original Message- From: Amos Jeffries [mailto:squ...@treenet.co.nz] Sent: Wednesday, August 20, 2014 4:10 PM To: squid-users@squid-cache.org Subject: Re: [squid-users] https://weather.yahoo.com redirect loop On 21/08/2014 5:08 a.m., Lawrence Pingree wrote: Personally I have found that the latest generation of Next Generation Firewalls have been doing blocking when they detect a via with a squid header, Have you been making bug reports to these vendors? Adding Via header is mandatory in HTTP/1.1 specification, and HTTP proxy is a designed part of the protocol. So any blocking based on the simple existence of a proxy is non-compliance with HTTP itself. That goes for ports 80, 443, 3128, 3130, and 8080 which are all registered for HTTP use. However, if your proxy is emitting Via: 1.1 localhost or Via: 1.1 localhost.localdomain it is broken and may not be blocked so much as rejected for forwarding loop because the NG firewall has a proxy itself on localhost. The Via header is generated from visible_hostname (or the OS hostname lookup) and supposed to contain the visible public FQDN of the each server the message relayed through. Amos
Re: [squid-users] https://weather.yahoo.com redirect loop
On 21/08/2014 2:23 p.m., Lawrence Pingree wrote: No, I mean they are intentionally blocking with a configured policy, its not a bug. :) They have signatures that match Via headers and forwarded for headers to determine that it's squid. This is because many hackers are using bounces off open squid proxies to launch web attacks. That still sounds like a bug. Blocking on squid existence makes as much sense as blocking all traffic with UA header containing MSIE on grounds that 90% of web attacks come with that agent string. The content inside those headers is also context specific, signature matching will not work beyond a simple proxy/maybe-proxy determination (which does not even determine non-proxy!). A proposal came up in the IETF a few weeks ago that HTTPS traffic containing Via header should be blocked on sight by all servers. It got booted out on these grounds: * the bad guys are not sending Via. * what Via do exist are being sent by good guys who obey the specs but are othewise literally forced (by law or previous TLS based attacks) to MITM the HTTPS in order to increase security checking on that traffic (ie. AV scanning). Therefore, the existence of Via is actually a sign of *good* health in the traffic and a useful tool for finding culprits behind the well behaved proxies. Rejecting or blocking based on its existence just increases the ratio of nasty traffic which makes it through. While simultaneously forcing the good guys to become indistinguishable from bad guys. Only the bad guys get any actual benefit out of the situation. Basically via off is a bad idea, and broken services (intentional or otherwise) which force it to be used are worse than terrible. Amos
[squid-users] https://weather.yahoo.com redirect loop
Hello All, I am using SSL Bump in transparent mode in squid 3.3.12. And when I browse to https://weather.yahoo.com then it goes in a redirect loop. I am using Chrome browser and I get a message at the end saying 'This webpage has a redirect loop'. On checking the developer console I found that response code received for the GET is 301 Moved Permanently. But when I go to the same site direct (without squid in the middle) then it works normally and I see 200 OK for the same GET. Thanks, Jatin