Hey Martin, Technically there should be a way to inform Squid-Cache about multiple addresses for the same destination. If Squid doesn't know that it's a real IP of the domains a partial solution is to use the same DNS service but it can also be something else. For example there should be a way\option for squid to decide if this address of the client or server is secured. Amos what do you think? Can a Host header forgery detection override acl be added? Should it be added? I believe that if there are some properties to the remote certificate we can flag the service as "Secure" IE if the OS runs a "openssl s_client -host www.ubuntnu.com -connect 91.189.89.118:443 And the certificate is fine then... it's there is no place for any SECURITY ALERT. I believe that a simple ACL addition which will depend on an external acl helper could be a good option. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Martin Hanson Sent: Monday, May 14, 2018 09:00 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: SOLVED - SECURITY ALERT: Host header forgery detected > So I finally got the whitelist working, but now every other box on the "localnet", when trying to access the whitelist, gets a: > > 2018/05/14 07:40:18 kid1| SECURITY ALERT: on URL: www.ubuntu.com:443 > 2018/05/14 07:40:18 kid1| SECURITY ALERT: Host header forgery detected on local=91.189.89.118:443 remote=192.168.1.4:43354 FD 23 flags=33 (local IP does not match any domain IP) I made a mistake.. ".. ensure that the DNS servers Squid uses are the same as those used by the client(s)" Fixed. Kind regards. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
