Dear Amos, thank you so much for your quickly reply .
--
I have tried to replace my SSL config with your suggestion. But my squid get a error like this in cache.log:
2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on local=216.58.199.110:443 remote=172.18.18.15:55704 FD 13 flags=33 (local IP does not match any domain IP)
2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: apis.google.com:443
2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on local=172.217.25.3:443 remote=172.18.18.15:55705 FD 17 flags=33 (local IP does not match any domain IP)
2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: www.google.com.vn:443
2017/11/25 13:21:53 kid1| SECURITY ALERT: Host header forgery detected on local=157.240.13.35:443 remote=172.18.18.15:55720 FD 22 flags=33 (local IP does not match any domain IP)
2017/11/25 13:21:53 kid1| SECURITY ALERT: on URL: www.facebook.com:443
2017/11/25 13:21:54 kid1| SECURITY ALERT: Host header forgery detected on local=157.240.13.35:443 remote=172.18.18.15:55724 FD 22 flags=33 (local IP does not match any domain IP)
2017/11/25 13:21:54 kid1| SECURITY ALERT: on URL: www.facebook.com:443
So i can't access www.facebook.com. It's error on my browser : ERR_SSL_PROTOCOL_ERROR
I find out the same issue in this discussion : http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html
And then i try to make my squid becomes a cache DNS itself using Unbound. But look like it does'nt work . I get same error before install cache DNS.
Here is my DNS test on my Squid:
[root@localhost ~]# nslookup
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 216.58.203.46
And this is my dns config in squid.config :
# --------- DNS AND IP CACHES [4341]
dns_nameservers 127.0.0.1
dns_v4_first on
#original_dst off
client_dst_passthru off
host_verify_strict off
ignore_unknown_nameservers off
dns_timeout 120 seconds
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
positive_dns_ttl 6 hours
negative_dns_ttl 300 seconds
Could you help me please :(
2017-11-24 20:27 GMT+07:00 Amos Jeffries <squid3@xxxxxxxxxxxxx>:
On 25/11/17 02:04, minh hưng đỗ hoàng wrote:
Dear Squid-users,
I want to setup a Squid proxy in transparent mode http/https traffic without any config in Client site.
I use Squid 3.5.20 on Centos7.I just install squid with default feature as *yum install squid.*
*
*
I just do that , but i have some problem with my output logging in access.log .
Specifically, my access.log only show ip_address_server:443 instead domain name of destination server like that :
*1511525732.912 206 172.18.18.15 TAG_NONE/200 0 CONNECT 172.217.24.35:443 - ORIGINAL_DST/172.217.24.35 -*
*
*
I know that i take some mistake in my squid.conf . But i can't find out how to fix it. Could you please show me how to improve my squid.conf .
You configured "ssl_bump none all".
<https://wiki.squid-cache.org/Features/SslPeekAndSplice#Acti >ons
"do not use these with Squid-3.5 and newer"
Use this instead:
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all
There should be two log entries per HTTPS connection. One before peek happens with raw-IP:port details. And a second one after peek which may have a _server_ name (*not* domain name) if and only if the client sends TLS SNI extension data.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
SĐT : 01234454115
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
