From: Amos Jeffries Date: Mon, 10 Oct 2011 12:21:13 +0000 (-0600) Subject: Bug 3325: option to selectively enable strict host verify checks. X-Git-Tag: BumpSslServerFirst.take01~108 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9052912577de8d1635599a99cf40fa7afbd4047a;p=thirdparty%2Fsquid.git Bug 3325: option to selectively enable strict host verify checks. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 079607ce00..5fd1c78660 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1777,6 +1777,23 @@ DOC_START DOC_END +NAME: host_verify_strict +TYPE: onoff +DEFAULT: off +LOC: Config.onoff.hostStrictVerify +DOC_START + By default Squid performs Host vs IP this validation on intercept + and tproxy traffic. + + This option enables additional strict validation comparisons on + forward-proxy and reverse-proxy traffic passing through Squid. + + These additional texts involve textual domain comparison of the + authority form URL found in the request-URL and Host: header. To + ensure that the client sends a consistent Host header for the + destination server with the URL. +DOC_END + NAME: client_dst_passthru TYPE: onoff DEFAULT: on diff --git a/src/client_side_request.cc b/src/client_side_request.cc index f4da4d49b6..3d77176d99 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -634,6 +634,9 @@ ClientRequestContext::hostHeaderVerify() // verify the destination DNS is one of the Host: headers IPs ipcache_nbgethostbyname(host, hostHeaderIpVerifyWrapper, this); } + } else if (Config.onoff.hostStrictVerify) { + debugs(85, 3, HERE << "validate skipped."); + http->doCallouts(); } else if (strlen(host) != strlen(http->request->GetHost())) { // Verify forward-proxy requested URL domain matches the Host: header debugs(85, 3, HERE << "FAIL on validate URL domain length " << http->request->GetHost() << " matches Host: " << host); diff --git a/src/structs.h b/src/structs.h index 884786d421..4cce1004ab 100644 --- a/src/structs.h +++ b/src/structs.h @@ -460,6 +460,7 @@ struct SquidConfig { int WIN32_IpAddrChangeMonitor; int memory_cache_first; int memory_cache_disk; + int hostStrictVerify; int client_dst_passthru; } onoff;