From b599b05fd917b3aec62f6de1242439379aa30d6b Mon Sep 17 00:00:00 2001 From: Ricardo Ferreira Ribeiro Date: Wed, 4 Feb 2026 12:29:43 +0000 Subject: [PATCH 1/6] Tolerate mismatching CONNECT Host for intercepted connections --- src/client_side_request.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 507f53d32ba..94137f0ca8f 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -390,7 +390,8 @@ ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) { // IP address validation for Host: failed. Admin wants to ignore them. // NP: we do not yet handle CONNECT tunnels well, so ignore for them - if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) { + if ((!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) || + (http->request->method == Http::METHOD_CONNECT && (http->request->flags.intercepted || http->request->flags.interceptTproxy))) { debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection << " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri()); From a26d5cc77d027b13470892d0585f5e3ef6999dcf Mon Sep 17 00:00:00 2001 From: Ricardo Ferreira Ribeiro Date: Wed, 4 Feb 2026 12:44:56 +0000 Subject: [PATCH 2/6] fix alignment and comment --- src/client_side_request.cc | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 94137f0ca8f..9bed820ddd6 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -388,10 +388,12 @@ ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const Dns::Loo void ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) { - // IP address validation for Host: failed. Admin wants to ignore them. - // NP: we do not yet handle CONNECT tunnels well, so ignore for them - if ((!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) || - (http->request->method == Http::METHOD_CONNECT && (http->request->flags.intercepted || http->request->flags.interceptTproxy))) { + // IP address validation for Host header failed, but we may ignore it in certain cases: + // 1. For non-CONNECT requests: ignore if hostStrictVerify is disabled (admin choice) + // 2. For CONNECT requests: ignore if intercepted (TPROXY or regular interception) + if ((!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) || + (http->request->method == Http::METHOD_CONNECT && (http->request->flags.intercepted || http->request->flags.interceptTproxy)) + ) { debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection << " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri()); From 08ca032cbeb513983fa0ec58b9441f09e1a4857e Mon Sep 17 00:00:00 2001 From: Ricardo Ferreira Ribeiro Date: Tue, 10 Feb 2026 08:23:35 +0000 Subject: [PATCH 3/6] Revert "fix alignment and comment" This reverts commit a26d5cc77d027b13470892d0585f5e3ef6999dcf. --- src/client_side_request.cc | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 9bed820ddd6..94137f0ca8f 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -388,12 +388,10 @@ ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const Dns::Loo void ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) { - // IP address validation for Host header failed, but we may ignore it in certain cases: - // 1. For non-CONNECT requests: ignore if hostStrictVerify is disabled (admin choice) - // 2. For CONNECT requests: ignore if intercepted (TPROXY or regular interception) - if ((!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) || - (http->request->method == Http::METHOD_CONNECT && (http->request->flags.intercepted || http->request->flags.interceptTproxy)) - ) { + // IP address validation for Host: failed. Admin wants to ignore them. + // NP: we do not yet handle CONNECT tunnels well, so ignore for them + if ((!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) || + (http->request->method == Http::METHOD_CONNECT && (http->request->flags.intercepted || http->request->flags.interceptTproxy))) { debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection << " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri()); From 3079af574fd0a9165678d38aa8959a4873f611f8 Mon Sep 17 00:00:00 2001 From: Ricardo Ferreira Ribeiro Date: Tue, 10 Feb 2026 08:23:37 +0000 Subject: [PATCH 4/6] Revert "Tolerate mismatching CONNECT Host for intercepted connections" This reverts commit b599b05fd917b3aec62f6de1242439379aa30d6b. --- src/client_side_request.cc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 94137f0ca8f..507f53d32ba 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -390,8 +390,7 @@ ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) { // IP address validation for Host: failed. Admin wants to ignore them. // NP: we do not yet handle CONNECT tunnels well, so ignore for them - if ((!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) || - (http->request->method == Http::METHOD_CONNECT && (http->request->flags.intercepted || http->request->flags.interceptTproxy))) { + if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) { debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection << " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri()); From e6cec16c3cc9b78f4bcf655a4cb71724642bd90c Mon Sep 17 00:00:00 2001 From: Ricardo Ferreira Ribeiro Date: Tue, 10 Feb 2026 08:24:51 +0000 Subject: [PATCH 5/6] remove CONNECT restriction --- src/client_side_request.cc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 507f53d32ba..3b1b063ddaa 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -389,8 +389,7 @@ void ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B) { // IP address validation for Host: failed. Admin wants to ignore them. - // NP: we do not yet handle CONNECT tunnels well, so ignore for them - if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) { + if (!Config.onoff.hostStrictVerify) { debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection << " (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri()); From a70f808906ee5fc4cb2c92f2cd1a0cd4c7c34a00 Mon Sep 17 00:00:00 2001 From: Ricardo Ferreira Ribeiro Date: Thu, 5 Mar 2026 13:35:29 +0100 Subject: [PATCH 6/6] remove CONNECT special case in doc --- src/cf.data.pre | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/cf.data.pre b/src/cf.data.pre index 51c90a376e8..4c2b62f8e3c 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2984,9 +2984,6 @@ DOC_START to the client original destination instead of DIRECT. This overrides 'client_dst_passthru off'. - For now suspicious intercepted CONNECT requests are always - responded to with an HTTP 409 (Conflict) error page. - SECURITY NOTE: