On 25/11/17 19:40, minh hưng đỗ hoàng wrote:
Dear Amos, thank you so much for your quickly reply .
I have tried to replace my SSL config with your suggestion. But my squid
get a error like this in cache.log:
2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected
on local=216.58.199.110:443
remote=172.18.18.15:55704 FD 13 flags=33
(local IP does not match any domain IP)
...
So i can't access www.facebook.com. It's error
on my browser : *ERR_SSL_PROTOCOL_ERROR*
*
*
I find out the same issue in this discussion :
http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html
The more complete info about that problem, the things to avoid, and the
workarounds that help reduce it can be found at
<https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>
Be aware that there is no full solution yet. The latest Squid-4 and
Squid-5 functionality is getting closer to coping with these services,
but still not complete.
And then i try to make my squid becomes a cache DNS itself using
Unbound. But look like it does'nt work . I get same error before install
cache DNS.
Not just the Squid machine but *all* the clients going through your
Squid also have to be using the same DNS resolver for that workaround.
Any of them using other resolvers (eg 8.8.8.8 or similar services)
*will* hit these errors.
Here is my DNS test on my Squid:
[root@localhost ~]# nslookup google.com
Server:127.0.0.1
Address:127.0.0.1#53
Non-authoritative answer:
Name:google.com
Address: 216.58.203.46
"google.com" is not your problem. The domain names in the log are:
apis.google.com != 216.58.199.110
www.google.com.vn != 172.217.25.3
www.facebook.com != 157.240.13.35
Also, be aware that the problem is extremely temporary. It can change
between failed and working in any random millisecond. So testing even a
few seconds later often shows different results.
And this is my dns config in squid.config :
# --------- DNS AND IP CACHES [4341]
dns_nameservers 127.0.0.1
dns_v4_first on
#original_dst off
client_dst_passthru off
The above setting is rejecting clients when the host verify fails.
TO let traffic through the proxy when host-verify fails set it back to
the default "client_dst_passthru on".
The Host verify failure is most dangerous when cached - so that is
always prohibited. But upstream routing is difficult for Squid to
determine - thus that config option. It is left up to you whether you
risk your clients getting infected by that mechanism - Squid just
minimizes the damage and risk by limiting it to the one client making
the suspicious request.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
