On 6/07/19 11:51 pm, leomessi983 wrote: > Hi > I use 2 server that connected to each other with IPsec tunnel. > > client >>>> Server1 ======ipsec tunnel======Server2>>>>Internat > > I configured Nat in Server2 toward internet and I use squid with tproxy > and ssl bump configuration to intercept https requests! > without ipsec tunnel my squid server work fine and also when I disable > squid in server2 and only use IPsec tunnel everythig is going fine but > when I enable squid with IPsec tunnel my client in their browsers get > SSL_ERROR_RX_RECORD_TOO_LONG error and squid cache.log show this errors: > > "Jul 6 15:44:59 ParsGateVM800 squid[27066] [daemon:info:1e]: 2019/07/06 > 15:44:59| SECURITY ALERT: on URL: mobile.pipe.aria.microsoft.com:443 > Jul 6 15:44:59 ParsGateVM800 squid[27066] [daemon:info:1e]: 2019/07/06 > 15:44:59| SECURITY ALERT: Host header forgery detected on > local=52.114.128.8:443 remote=10.0.0.110:60270 FD 12 flags=17 (local IP > does not match any domain IP)" > > I checked my DNS configuration in clients and squid server and they are > both same and are 8.8.8.8! > Each query to the 8.8.8.8 servers produces different results. Which defeats the purpose of having the DNS resolver set to the same thing. You need to have a local resolver which the two share. That local resolver can be forwarding to 8.8.8.8 if you really want to. Which version of Squid are you running? that RX_RECORD error usually means the other endpoint is not sending TLS. Older versions of Squid might be sending out a plain-text HTTP response. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
