subject:"\[squid\-dev\] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80"

Re: [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

2022-03-04 Thread Alex Rousskov


On 3/4/22 03:25, YFone Ling wrote:

I am here just try to understand how the squid determines host conflicts 
for a simple http connect proxy request?


The complete answer to your question is large/complicated and 
Squid-version dependent, but, AFAICT, there are no conflicts in the 
simple CONNECT request you have shared. Either the Squid in question is 
buggy or something else is going on (that is not visible in the output 
you have shared).


Are you absolutely sure the CONNECT request looks exactly like the one 
you have copy-pasted? How do you observe that CONNECT request?


Can you reproduce this exact problem using, say, "nc" or "telnet" as a 
proxy client (no TLS)?


Normally, proxies that accept CONNECT requests do not listen on or 
intercept port 80. Normally, CONNECT requests do not target port 80 
either. Are you sure you are supposed to send a CONNECT request to port 
80 and target an origin server port 80?



What do the WiFi providers tell you when you complain to _them_? Can 
they get you in touch with the technical people responsible for their 
Squids?


Alex.




On Thu, Mar 3, 2022 at 6:28 PM Eliezer Croitoru > wrote:


I am not sure if it’s for Squid-dev but anyway to clear out the
doubts I would suggest attaching the squid.conf
and remember to remove any sensitive data.

__ __

Eliezer

__ __



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com 

__ __

*From:* squid-dev mailto:squid-dev-boun...@lists.squid-cache.org>> *On Behalf Of
*YFone Ling
*Sent:* Thursday, March 3, 2022 22:55
*To:* squid-dev@lists.squid-cache.org

*Subject:* [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on
port 80

__ __

My application sends  HTTP CONNECT requests to a HTTP proxy port 80,
but gets a squid ERR_CONFLICT_HOST error page.

__ __

Is the following code really working as the comments pointed out
"ignore them" since the following if condition is
"http->request->method != Http::METHOD_CONNECT"

and the rest has been blocked by error page
"repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,"?

__ __

Does "ignore them" mean block them? 

void



ClientRequestContext::hostHeaderVerifyFailed(const char *A, const
char *B)



{



// IP address validation for Host: failed. Admin wants to ignore
them.



// NP: we do not yet handle CONNECT tunnels well, so ignore for them



if (!Config.onoff.hostStrictVerify && http->request->method !=
Http::METHOD_CONNECT) {



debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " <<
http->getConn()->clientConnection <<



"(" << A << "does not match " << B << ") on URL: " <<
http->request->effectiveRequestUri());



__ __

__ __

How does the squid get "hostHeaderVerifyFailed" for a normal HTTP
CONNECT request to a HTTP Proxy as simple as below?

__ __

CONNECT www.zscaler.com:80  HTTP/1.1

Host: www.zscaler.com:80 

User-Agent: Windows Microsoft Windows 10 Enterprise ZTunnel/1.0

Proxy-Connection: keep-alive

Connection: keep-alive

__ __

HTTP/1.1 409 Conflict

Server: squid

Mime-Version: 1.0

Date: Tue, 22 Feb 2022 20:59:42 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 2072

X-Squid-Error: ERR_CONFLICT_HOST 0

Vary: Accept-Language

Content-Language: en

X-Cache: MISS from 3

Via: 1.1 3 (squid)

Connection: keep-alive

__ __





ERROR

The requested URL could not be retrieved





__ __



The following error was encountered while trying to retrieve
the URL: http://www.zscaler.com:80>">www.zscaler.com:80


..

__ __

__ __

__ __

Thank you for any help on the understanding!

__ __

Paul Ling


___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev


___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

2022-03-03 Thread Eliezer Croitoru

I am not sure if it’s for Squid-dev but anyway to clear out the doubts I would 
suggest attaching the squid.conf 
and remember to remove any sensitive data.

 

Eliezer

 



Eliezer Croitoru

NgTech, Tech Support

Mobile: +972-5-28704261

Email: ngtech1...@gmail.com <mailto:ngtech1...@gmail.com> 

 

From: squid-dev  On Behalf Of YFone 
Ling
Sent: Thursday, March 3, 2022 22:55
To: squid-dev@lists.squid-cache.org
Subject: [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

 

My application sends  HTTP CONNECT requests to a HTTP proxy port 80, but gets a 
squid ERR_CONFLICT_HOST error page.

 

Is the following code really working as the comments pointed out "ignore them" 
since the following if condition is "http->request->method != 
Http::METHOD_CONNECT"

and the rest has been blocked by error page 
"repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,"?

 

Does "ignore them" mean block them? 



void


ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)


{


// IP address validation for Host: failed. Admin wants to ignore them.


// NP: we do not yet handle CONNECT tunnels well, so ignore for them


if (!Config.onoff.hostStrictVerify && http->request->method != 
Http::METHOD_CONNECT) {


debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << 
http->getConn()->clientConnection <<


   " (" << A << " does not match " << B << ") on URL: " << 
http->request->effectiveRequestUri());



 

 

How does the squid get "hostHeaderVerifyFailed" for a normal HTTP CONNECT 
request to a HTTP Proxy as simple as below?

 

CONNECT www.zscaler.com:80 <http://www.zscaler.com:80>  HTTP/1.1

Host: www.zscaler.com:80 <http://www.zscaler.com:80> 

User-Agent: Windows Microsoft Windows 10 Enterprise ZTunnel/1.0

Proxy-Connection: keep-alive

Connection: keep-alive

 

HTTP/1.1 409 Conflict

Server: squid

Mime-Version: 1.0

Date: Tue, 22 Feb 2022 20:59:42 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 2072

X-Squid-Error: ERR_CONFLICT_HOST 0

Vary: Accept-Language

Content-Language: en

X-Cache: MISS from 3

Via: 1.1 3 (squid)

Connection: keep-alive

 





ERROR

The requested URL could not be retrieved





 



The following error was encountered while trying to retrieve the URL: http://www.zscaler.com:80> ">www.zscaler.com:80 
<http://www.zscaler.com:80> 

..

 

 

 

Thank you for any help on the understanding!

 

Paul Ling

___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

[squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

2022-03-03 Thread YFone Ling

My application sends  HTTP CONNECT requests to a HTTP proxy port 80, but
gets a squid ERR_CONFLICT_HOST error page.

Is the following code really working as the comments pointed out "ignore
them" since the following if condition is "http->request->method !=
Http::METHOD_CONNECT"
and the rest has been blocked by error page
"repContext->setReplyToError(ERR_CONFLICT_HOST, Http::scConflict,"?

Does "ignore them" mean block them?
void
ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
{
// IP address validation for Host: failed. Admin wants to ignore them.
// NP: we do not yet handle CONNECT tunnels well, so ignore for them
if (!Config.onoff.hostStrictVerify && http->request->method !=
Http::METHOD_CONNECT) {
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->
getConn()->clientConnection <<
" (" << A << " does not match " << B << ") on URL: " << http->request->
effectiveRequestUri());


How does the squid get "hostHeaderVerifyFailed" for a normal HTTP CONNECT
request to a HTTP Proxy as simple as below?

CONNECT www.zscaler.com:80 HTTP/1.1
Host: www.zscaler.com:80
User-Agent: Windows Microsoft Windows 10 Enterprise ZTunnel/1.0
Proxy-Connection: keep-alive
Connection: keep-alive


HTTP/1.1 409 Conflict
Server: squid
Mime-Version: 1.0
Date: Tue, 22 Feb 2022 20:59:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 2072
X-Squid-Error: ERR_CONFLICT_HOST 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from 3
Via: 1.1 3 (squid)
Connection: keep-alive




ERROR
The requested URL could not be retrieved





The following error was encountered while trying to retrieve the URL: www.zscaler.com:80
..



Thank you for any help on the understanding!

Paul Ling
___
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev

Re: [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

Re: [squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

[squid-dev] ERR_CONFLICT_HOST for HTTP CONNECT request on port 80

3 matches

Site Navigation

Mail list logo

Footer information