From: Alex Rousskov Date: Wed, 12 Oct 2011 21:22:33 +0000 (-0600) Subject: Docs: polish host_very_strict X-Git-Tag: BumpSslServerFirst.take01~103 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d882193405102e6ffb0b4e6a0f65a83a60a1a9dc;p=thirdparty%2Fsquid.git Docs: polish host_very_strict --- diff --git a/src/cf.data.pre b/src/cf.data.pre index bd59243d21..5d1017db5d 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1782,16 +1782,27 @@ TYPE: onoff DEFAULT: off LOC: Config.onoff.hostStrictVerify DOC_START - By default Squid performs Host vs IP validation on intercept - and tproxy traffic. - - This option enables additional strict validation comparisons on - forward-proxy and reverse-proxy traffic passing through Squid. - - These additional tests involve textual domain comparison of the - authority form URL found in the request-URL and Host: header to - ensure that the client sends a consistent Host header for the - destination server with the URL. + Regardless of this option setting, when dealing with intercepted + traffic, Squid always verifies that the destination IP address matches + the Host header domain or IP (called 'authority form URL'). Squid + responds with an HTTP 409 (Conflict) error page and logs a security + warning if there is no match. + + When set to ON, Squid verifies that the destination IP address matches + the Host header for forward-proxy and reverse-proxy traffic as well. For + those traffic types, Squid also enables the following checks, comparing + the corresponding Host header and Request-URI components: + + * The host names (domain or IP) must be identical, + but valueless or missing Host header disables all checks. + For the two host names to match, both must be either IP or FQDN. + + * Port numbers must be identical, + but if a port is missing, the scheme-default port is assumed. + + This enforcement is performed to satisfy a MUST-level requirement in + RFC 2616 section 14.23: "The Host field value MUST represent the naming + authority of the origin server or gateway given by the original URL". DOC_END NAME: client_dst_passthru