Skip to content

Bug 4940: Tolerate Host header forgery for CONNECTs #2385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
somecookie wants to merge 6 commits into
base: master
Choose a base branch
from
+1 −5
Open

Bug 4940: Tolerate Host header forgery for CONNECTs #2385

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b599b05
Tolerate mismatching CONNECT Host for intercepted connections
somecookie Feb 4, 2026
a26d5cc
fix alignment and comment
somecookie Feb 4, 2026
08ca032
Revert "fix alignment and comment"
somecookie Feb 10, 2026
3079af5
Revert "Tolerate mismatching CONNECT Host for intercepted connections"
somecookie Feb 10, 2026
e6cec16
remove CONNECT restriction
somecookie Feb 10, 2026
a70f808
remove CONNECT special case in doc
somecookie Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions src/cf.data.pre
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2984,9 +2984,6 @@ DOC_START
to the client original destination instead of DIRECT.
This overrides 'client_dst_passthru off'.

For now suspicious intercepted CONNECT requests are always
responded to with an HTTP 409 (Conflict) error page.


SECURITY NOTE:

Expand Down
3 changes: 1 addition & 2 deletions src/client_side_request.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -389,8 +389,7 @@ void
ClientRequestContext::hostHeaderVerifyFailed(const char *A, const char *B)
{
// IP address validation for Host: failed. Admin wants to ignore them.
// NP: we do not yet handle CONNECT tunnels well, so ignore for them
if (!Config.onoff.hostStrictVerify && http->request->method != Http::METHOD_CONNECT) {
if (!Config.onoff.hostStrictVerify) {
debugs(85, 3, "SECURITY ALERT: Host header forgery detected on " << http->getConn()->clientConnection <<
" (" << A << " does not match " << B << ") on URL: " << http->request->effectiveRequestUri());

Expand Down