Dear Amos,
Sorry for concluded hurriedly.
When i do a test with 1 user, it's seem ok, no more Aler from cache.log. But when i test with more users, the Alert log from cache.log happen again. And so i can't access some https page as chatwork.com , facebook.com
2017/11/29 18:06:41 kid1| SECURITY ALERT: Host header forgery detected on local=54.238.137.130:443 remote=172.16.255.10:61831 FD 131 flags=33 (local IP does not match any domain IP)
2017/11/29 18:06:41 kid1| SECURITY ALERT: on URL: www.chatwork.com:443
2017/11/29 18:06:48 kid1| SECURITY ALERT: Host header forgery detected on local=31.13.95.8:443 remote=172.16.255.51:54984 FD 173 flags=33 (local IP does not match any domain IP)
2017/11/29 18:06:48 kid1| SECURITY ALERT: on URL: api.facebook.com:443
2017/11/29 18:08:07 kid1| SECURITY ALERT: Host header forgery detected on local=31.13.95.12:443 remote=172.16.255.51:54990 FD 51 flags=33 (local IP does not match any domain IP)
2017/11/29 18:08:07 kid1| SECURITY ALERT: on URL: static.xx.fbcdn.net:443
2017/11/29 18:08:50 kid1| SECURITY ALERT: Host header forgery detected on local=172.217.24.197:443 remote=172.16.255.10:61866 FD 34 flags=33 (local IP does not match any domain IP)
2017/11/29 18:08:50 kid1| SECURITY ALERT: on URL: mail.google.com:443
2017/11/29 18:09:43 kid1| SECURITY ALERT: Host header forgery detected on local=13.113.80.172:443 remote=172.16.255.10:61890 FD 124 flags=33 (local IP does not match any domain IP)
2017/11/29 18:09:43 kid1| SECURITY ALERT: on URL: ws-chatwork.pusher.com:443
2017/11/29 18:10:59 kid1| WARNING: 1 swapin MD5 mismatches
2017/11/29 18:11:00 kid1| SECURITY ALERT: Host header forgery detected on local=157.240.15.22:443 remote=172.16.255.51:55032 FD 93 flags=33 (local IP does not match any domain IP)
2017/11/29 18:11:00 kid1| SECURITY ALERT: on URL: connect.facebook.net:443
2017/11/29 18:13:15 kid1| SECURITY ALERT: Host header forgery detected on local=31.13.95.36:443 remote=172.16.255.12:33158 FD 25 flags=33 (local IP does not match any domain IP)
2017/11/29 18:13:15 kid1| SECURITY ALERT: on URL: www.facebook.com:443
2017/11/29 18:14:00 kid1| SECURITY ALERT: Host header forgery detected on local=31.13.95.34:443 remote=172.16.255.59:39526 FD 74 flags=33 (local IP does not match any domain IP)
2017/11/29 18:14:00 kid1| SECURITY ALERT: on URL: mqtt-mini.facebook.com:443
I have a Mikrotik router (172.16.1.1), and some Lan Local. With every Lan, my DHCP allocates DNS, gateway to my LAN. Ext : 172.16.255.0/24 with gateway : 172.16.255.254 and DNS 172.16.255.254
- Mikrotik config with Cache DNS from 8.8.8.8
- Squid use DNS 172.16.1.1 ( Mikrotik DNS)
- Squid config DNS to 172.16.1.1
- Client use DNS allocated by DHCP (but there is still Mikrotik router)
--
Here is my full squid.conf :
#Allollow LAN Network
# Allow Network ACL Allow/Deny Section#
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 1025-65535
acl CONNECT method CONNECT
acl fb dstdomain .facebook.com
#http_access deny CONNECT fb
http_access allow localhost
http_access allow all
# Transparent Proxy Parameters
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=off cert=/etc/squid/ssl_cert/squid-3.5.27.pem
### SSL config ###
#-Start-#
#ssl_bump none all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all
#-End-#
# --------- Add X-Forwarded-for in headers [0]?
#-Start-#
forwarded_for transparent
#-End-#
debug_options ALL,1
log_fqdn on
emulate_httpd_log on
icap_enable on
global_internal_static on
short_icon_urls on
log_uses_indirect_client on
# --------- DNS AND IP CACHES [4341]
dns_nameservers 172.16.1.1
dns_v4_first on
host_verify_strict off
ignore_unknown_nameservers off
dns_timeout 120 seconds
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
positive_dns_ttl 6 hours
negative_dns_ttl 300 seconds
---------------------------------------------------------
Could you please help me . Thanks & Best Regards,
2017-11-28 17:32 GMT+07:00 minh hưng đỗ hoàng <hoangminhung@xxxxxxxxx>:
Dear Amos,I solved my problem by following this :1 - I used my Mikrotik router as a cache DNS2 - Both Squid proxy and my client use Mikrotik' DNS=> It no more take alert from cache.logThanks alot :)--SĐT : 01234454115
SĐT : 01234454115
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
