OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: ruggerio on October 20, 2018, 05:49:21 pm
-
Hi,
i try already a long time to resolve that issue on the proxy:
SECURITY ALERT: Host header forgery detected on local=[blah-ip]:443 remote=[my-ip]:52382 FD 12 flags=33 (local IP does not match any domain IP)
i read a lot about it, it force the same ip for the dns on dhcp as i have entered in the proxy, but the problem remains. I have no further clue, how to get rid of and clean my logs.
any help is appreciated.
btw. i use dnsmasq as resolver, not unbound
-
Been doing some digging, and it seems this is a "feature" that's been added to Squid to validate connections against things like NAT tables to confirm its a "safe" request.
http://www.squid-cache.org/Doc/config/host_verify_strict/
The problem is by doing the port forward for transparent proxy it breaks the check (or so it appears).
Looks like other vendors have hit this, and patched:
https://github.com/NethServer/dev/issues/5348
Any chance of OPNSense patching?
Causes a lot of problems with SNI inspection - I really don't want to do full SSL decrypt due to having to then maintain a long no-bump list, but the SNI inspect doesn't really work because of this and intermittent failures.
-
Looks like this is the patch...
https://github.com/NethServer/squid/blob/c7/SOURCES/squid-3.5.20-ssl-forgery.patch
I'm willing to look at it in exchange for a ticket:
https://github.com/opnsense/ports/issues
Cheers,
Franco
-
Done :) #66
-
Thanks, 19.1.2 should have a fix.
Cheers,
Franco
-
Hi all,
any news about this issue? I updated my firewall to 19.1.5 but the issue still remains.
Best regards
-
Yes, as I said: 19.1.2 has the fix.
Cheers,
Franco
-
Sorry, I don't understand, if 19.1.2 has the fix why my "OPNsense 19.1.5_1-amd64" (i think it's a later version) still has the problem?
???
-
That's a good question I cannot answer without further help from you.
While the original requesters never confirmed this works as intended they also never complained it did not.
That means:
a) It works and you are having another local issue you need to help us debug.
b) It doesn't work and you need to help us debug.
Cheers,
Franco
-
While the original requesters never confirmed this works as intended they also never complained it did not.
b) It doesn't work and you need to help us debug.
Since my 19.1.5 still shows host forgery, I assume the fix never worked. My squid cache.log shows tons of :
2019/04/26 08:04:48 kid1| SECURITY ALERT: Host header forgery detected on local=35.201.121.164:443 remote=10.X.X.X:51100 FD 406 flags=33 (local IP does not match any domain IP)
2019/04/26 08:04:48 kid1| SECURITY ALERT: on URL: www.feelinsonice.com:443
2019/04/26 08:04:50 kid1| SECURITY ALERT: Host header forgery detected on local=35.201.121.164:443 remote=10.X.X.X:55004 FD 406 flags=33 (local IP does not match any domain IP)
2019/04/26 08:04:50 kid1| SECURITY ALERT: on URL: www.feelinsonice.com:443
2019/04/26 08:04:51 kid1| SECURITY ALERT: Host header forgery detected on local=35.201.121.164:443 remote=10.X.X.X:55010 FD 432 flags=33 (local IP does not match any domain IP)
2019/04/26 08:04:51 kid1| SECURITY ALERT: on URL: www.feelinsonice.com:443
-
That's a good question I cannot answer without further help from you.
While the original requesters never confirmed this works as intended they also never complained it did not.
That means:
a) It works and you are having another local issue you need to help us debug.
b) It doesn't work and you need to help us debug.
Cheers,
Franco
I think that the fix never worked, i see that i'm not the only one that have the problem.
I'll be happy to help debugging the problem, what should i do? Is there something you need?
-
Fair enough. So you have 19.1.6 installed, reinstalled the squid3 package, done a reboot and the messages "SECURITY ALERT: Host header forgery detected on local=[blah-ip]:443 remote=[my-ip]:52382 FD 12 flags=33 (local IP does not match any domain IP)" are still in the log for the new connections?
I checked the package: the patch and its option are compiled in properly. The patch looks sane.
I have no idea what you are indicating that is not working as expected. I haven't seen a log from you or a problem description, best as a description of what operational impact you are seeing.
Thanks,
Franco
-
Hi Franco,
Sorry for not replying, also i still have the issue, using transparent proxy.
btw. looking at the logs above, also i see almost feelinsonice.com. This seems to be snapchat.
Roger
-
Ok guys, listen up. This is ridiculous behaviour. Take a look at:
https://github.com/opnsense/ports/issues/66
I've added the *exact* patch that was required of me to be included as per the ticket.
Now please DO NOT say "it doesn't work" because all I did was respond to the request made in the issue and if it doesn't work "as you think it does" that does not qualify all the drama here. Have you all the data or just random log entries that might still be happening for other reasons? Nobody follows up for months and now this? Seriously?
If that is going to be the standard I'm not going to indulge any future requests for patching software in ways that I am not capable of testing despite being willing to look, engineer and security audit them.
I'm dead serious on this. Please be considerate as this is not any particular OPNsense issue since we are patching UPSTREAM software.
Cheers,
Franco
-
Do you use IPv6 (or are you aware of it)? I had a similar problem where clients and proxy use the same v4 DNS, but the client did the DNS via v6 and then there were again forgery attacks :)
-
Do you use IPv6 (or are you aware of it)? I had a similar problem where clients and proxy use the same v4 DNS, but the client did the DNS via v6 and then there were again forgery attacks :)
Right. I use ipv6. How did you resolve this issue? The clients are dual stack, as firewall itself. Firewall acts as ipv6 dns server (unbound). Firewall itself just has ipv4 addresses configured for dns servers. Should I add the ipv6 ips of dns servers, too?
-
Port forward for v6 Port 53 to localhost :)
-
Port forward for v6 Port 53 to localhost :)
How dies this work? This would violate ipv6 scope.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568 (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568)
For this reason, I use the interface ipv6 address for redirect in transparent proxy.
-
Hm, I'm quite sure it works, will test it tomorrow