Hello Squid Users, I have just started using squid less than a week ago . My setup is a transparent proxy with sslbump , I peek for media streaming sites then terminate their connections then I splice all. I noticed that some https sites (not all of the time) , does not respond , when Investigated I found the following in cache.log : 3105 2016/06/09 12:45:40.630 kid1| SECURITY ALERT: on URL: mail.live.com:443 3106 2016/06/09 12:45:40.631 kid1| SECURITY ALERT: Host header forgery detected on local=157.55.43.16:443 remote=10.3.1.80:58328 FD 94 flags=33 (local IP does not match any domain IP) 3330 2016/06/09 13:26:26.676 kid1| SECURITY ALERT: on URL: mail.live.com:443 3331 2016/06/09 13:26:26.676 kid1| SECURITY ALERT: Host header forgery detected on local=157.56.122.210:443 remote=10.3.1.80:58414 FD 141 flags=33 (local IP does not match any domain IP) 3530 2016/06/09 13:49:49.481 kid1| SECURITY ALERT: on URL: mail.live.com:443 3531 2016/06/09 13:49:49.481 kid1| SECURITY ALERT: Host header forgery detected on local=157.55.43.17:443 remote=10.3.1.80:58616 FD 119 flags=33 (local IP does not match any domain IP) I searched for a solution which lead me to (1st result) : http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery I read it and it seems to be a dead end . What I understood that client requested page from a certain IP , reply came from another IP then it's blocked for security reasons. Well I tried to nslookup the mentioned IPs , and all of them are sub domains of mail.live.com nslookup 157.55.43.16 Server: google-public-dns-a.google.com Address: 8.8.8.8 Name: origin.du111w.dub111.mail.live.com Address: 157.55.43.16 nslookup 157.56.122.210 Server: google-public-dns-a.google.com Address: 8.8.8.8 Name: origin.du125w.dub125.mail.live.com Address: 157.56.122.210 nslookup 157.55.43.17 Server: google-public-dns-a.google.com Address: 8.8.8.8 Name: origin.du112w.dub112.mail.live.com Address: 157.55.43.17 also tried to nslookup mail.live.com , and every time I get different IPs nslookup mail.live.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: dispatch.kahuna.glbdns2.microsoft.com Addresses: 157.56.195.156 157.55.235.51 Aliases: mail.live.com nslookup mail.live.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: dispatch.kahuna.glbdns2.microsoft.com Addresses: 157.55.235.49 157.56.122.210 Aliases: mail.live.com nslookup mail.live.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: dispatch.kahuna.glbdns2.microsoft.com Addresses: 157.55.43.16 157.55.43.17 Aliases: mail.live.com nslookup mail.live.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: dispatch.kahuna.glbdns2.microsoft.com Addresses: 157.55.235.51 157.56.122.208 Aliases: mail.live.com nslookup mail.live.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: dispatch.kahuna.glbdns2.microsoft.com Addresses: 157.55.235.51 157.56.122.208 Aliases: mail.live.com nslookup mail.live.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: dispatch.kahuna.glbdns2.microsoft.com Addresses: 157.55.235.48 157.55.235.49 Aliases: mail.live.com nslookup mail.live.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: dispatch.kahuna.glbdns2.microsoft.com Addresses: 157.55.235.49 157.56.122.210 Aliases: mail.live.com So can't squid learn that big sites have a lot of IPs mapped as sub-domains of it , and they may reply from any of them ? Or just provide an option to disable this problematic security feature ? or Am I missing something here ? Thanks You all in advance. Best Regards, Eng Hooda _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
