https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery 07.12.2017 5:40, Hugo Saavedra пишет: > ooops!, we have another problem here, anyone knows what is this? > > 2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443 > 2017/12/06 19:30:23 kid1| SECURITY ALERT: Host header forgery detected > on local=131.253.61.100:443 remote=192.168.10.2:59041 FD 126 flags=33 > (local IP does not match any domain IP) > 2017/12/06 19:30:23 kid1| SECURITY ALERT: on URL: login.live.com:443 > 2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected > on local=131.253.61.100:443 remote=192.168.10.2:59042 FD 106 flags=33 > (local IP does not match any domain IP) > 2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443 > 2017/12/06 19:30:37 kid1| SECURITY ALERT: Host header forgery detected > on local=131.253.61.100:443 remote=192.168.10.2:59043 FD 107 flags=33 > (local IP does not match any domain IP) > 2017/12/06 19:30:37 kid1| SECURITY ALERT: on URL: login.live.com:443 > > Thanks > > 2017-12-06 16:56 GMT-03:00 Hugo Saavedra <hugo.saavedra.oteiza@xxxxxxxxx>: >> solution finded: we commented the sslproxy_cipher line and it works! >> is there any security issues if we left the default options for this variable? >> >> thanks >> Hugo >> >> 2017-12-06 16:21 GMT-03:00 Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>: >>> On 12/06/2017 12:06 PM, Hugo Saavedra wrote: >>>> 2017/12/06 16:02:37 kid1| Error negotiating SSL connection on FD 61: >>>> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca >>>> (1/0) >>> You may be able to fix this problem by updating your collection of >>> public CA certificates. Squid uses CA certificates to validate >>> certificates presented by origin servers. You may be able to confirm >>> that your collection is stale and know more (e.g., which CA certificate >>> is unknown) if you can map the above error to an access.log entry that >>> would give you the origin server name to interrogate. >>> >>> Similar reasoning applies to other SSL-related cache.log errors as well, >>> but troubleshooting them may require more efforts (e.g., starting with a >>> higher debugging levels and/or packet captures). >>> >>> Alex. >> >> >> -- >> Saludos, >> Hugo Saavedra > > -- "Some people, when confronted with a problem, think «I know, I'll use regular expressions.» Now they have two problems." --Jamie Zawinsk ************************** * C++: Bug to the future * **************************
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
