Search squid archive

Re: Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25/11/17 19:40, minh hưng đỗ hoàng wrote:
Dear Amos, thank you so much for your quickly reply .
I have tried to replace my SSL config with your suggestion. But my squid get a error like this in cache.log:

2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on local=216.58.199.110:443 remote=172.18.18.15:55704 FD 13 flags=33 (local IP does not match any domain IP)

...

So i can't access www.facebook.com. It's error on my browser : *ERR_SSL_PROTOCOL_ERROR*
*


*
I find out the same issue in this discussion : http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html


The more complete info about that problem, the things to avoid, and the workarounds that help reduce it can be found at <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>

Be aware that there is no full solution yet. The latest Squid-4 and Squid-5 functionality is getting closer to coping with these services, but still not complete.


And then i try to make my squid becomes a cache DNS itself using Unbound. But look like it does'nt work . I get same error before install cache DNS.

Not just the Squid machine but *all* the clients going through your Squid also have to be using the same DNS resolver for that workaround. Any of them using other resolvers (eg 8.8.8.8 or similar services) *will* hit these errors.


Here is my DNS test on my Squid:

[root@localhost ~]# nslookup google.com Server:127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:google.com
Address: 216.58.203.46


"google.com" is not your problem. The domain names in the log are:

 apis.google.com    != 216.58.199.110
 www.google.com.vn  != 172.217.25.3
 www.facebook.com   != 157.240.13.35

Also, be aware that the problem is extremely temporary. It can change between failed and working in any random millisecond. So testing even a few seconds later often shows different results.


And this is my dns config in squid.config :

# --------- DNS AND IP CACHES [4341]

dns_nameservers 127.0.0.1
dns_v4_first on
#original_dst off
client_dst_passthru off

The above setting is rejecting clients when the host verify fails.
TO let traffic through the proxy when host-verify fails set it back to the default "client_dst_passthru on".

The Host verify failure is most dangerous when cached - so that is always prohibited. But upstream routing is difficult for Squid to determine - thus that config option. It is left up to you whether you risk your clients getting infected by that mechanism - Squid just minimizes the damage and risk by limiting it to the one client making the suspicious request.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux