On Wed, 12 Oct 2011 09:45:40 -0600, Alex Rousskov wrote:
On 10/11/2011 10:38 PM, Amos Jeffries wrote:
On Mon, 10 Oct 2011 08:39:00 -0600, Alex Rousskov wrote:
------------------------------------------------------------
revno: 11783
committer: Alex Rousskov <[email protected]>
branch nick: trunk
timestamp: Mon 2011-10-10 08:39:00 -0600
message:
Fixed typos in the host_verify_strict description.
Frankly, the description is likely to still make little sense to
uninitiated because we do not explain what is "Host vs IP
validation"
and what the "additional strict validation comparisons" are. There
was
an attempt to explain the latter, but I think it failed. Perhaps
there
are more typos that hide the intended meaning?
modified:
src/cf.data.pre
"
By default on intercept and tproxy traffic Squid verifies that the
destination IP address matches the Host: header domain or IP (called
'authority form URL'). The client will be presented with a 409
Conflict
error page and Squid logs a security warning if they do not match.
When set to ON, this option enables additional strict comparisons on
forward-proxy and reverse-proxy traffic passing through Squid.
These additional tests involve textual domain comparisons to
ensure that the client sends a consistent Host header for the
destination server mentioned in the URL.
"
Hi Amos,
I would polish the above a little further, thanks to your earlier
clarifications:
----------
Regardless of this option setting, when dealing with intercepted
traffic, Squid always verifies that the destination IP address
matches
the Host header domain or IP (called 'authority form URL'). Squid
responds with an HTTP 409 (Conflict) error page and logs a security
warning if there is no match.
When set to ON, Squid verifies that the destination IP address
matches
the Host header for forward-proxy and reverse-proxy traffic as well.
For
those traffic types, Squid also enables the following checks,
comparing
the corresponding Host header and Request-URI components:
* The host names (domain or IP) must be identical,
but valueless or missing Host header disables all checks.
For the two host names to match, both must be either IP or FQDN.
* Port numbers must be identical,
but if a port is missing, the scheme-default port is assumed.
This check is skipped for intercepted traffic and for CONNECT
requests with a missing port in the Host header.
I'll leave this last line out for now. We might have to change it later
when HTTPbis work has sorted out CONNECT a bit more. Intercept is also
not relevant for forward-proxy and reverse-proxy traffic.
This enforcement is performed to satisfy a MUST-level requirement in
RFC
2616 section 14.23: "The Host field value MUST represent the naming
authority of the origin server or gateway given by the original URL".
--------
* this option set to 'off' -> skip all URL-vs-Host tests
That part I did not understand because it seem to contradict the
earlier
"By default on intercept and tproxy traffic Squid verifies ..."
claim.
Intercept+tproxy we do not have URL domain to work with. We cannot
compare. So these are all skipped. IMO your sentence 1 of paragraph 2
adequately covers that without going into specifics.
Please feel free to leave as is or polish further as you please and
commit. This is not a big deal (but I do expect us to quote this
documentation to angry users).
Done.
Amos
