Re: httpd_accel_uses_host_header

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 08 May 1997 21:03:07 +0200

When running as a accelerator, squid normally only accepts "local" URLs
(without server). By adding the Host: header you effectively translates
the acceleration function to be almost equal to proxying with respect to
security. The client may specify any server they want, and connect to
them on the accel_port.

The request goes thought all the usual ACL checks, so it is easy to set
up full security if neccesary.

From icp.c:

XXX Use of the Host: header here opens a potential
security hole. There are no checks that the Host: value
corresponds to one of your servers. It might, for example,
refer to www.playboy.com. The 'dst' and/or 'dst_domain' ACL
types should be used to prevent httpd-accelerators
handling requests for non-local servers

Boyd Currey wrote:
> The squid.conf file says...
>
> ... However,
> # Squid does NOT check the value of the Host header, so it opens
> # a big security hole. We recommend that this option remain
> # disabled unless you are sure of what you are doing.
>
> What kind of security holes does it open? Does this mean that people
> can throw in false Host header addresses to gain access to squid
> for evil purposes and to get around acl's to access squid itself?
Received on Thu May 08 1997 - 13:07:58 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:35:08 MST