On 09.11.19 06:53, Darren Breeze wrote:
I am trying to set up squid 3.5 (have to stick with this version)
why?
to intercept and https bump / splice,
squid 3 has problems with bumping/splicing that are fixed in squid4...
it's all working OK with the exception of some elements of a https site failing to load (the browser just shows "failed"). matched with the failures, I see this type of message in the cache log. 2019/11/08 17:39:46 kid1| SECURITY ALERT: Host header forgery detected on local=23.213.186.14:443 remote=172.16.3.250:57041 FD 28 flags=33 (local IP does not match any domain IP)
seems you are trying to intercept by doing DNAT on remote machine, which causes this problem. https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery you must use ip policy routing or WCCP when interceptin outside of squid machine: https://wiki.squid-cache.org/SquidFaq/InterceptionProxy#Requirements_and_methods_for_Interception_Caching -- Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
