On 11/05/20 8:57 pm, leomessi983@xxxxxxxxx wrote: > HI > COULD YOU PLEASE HELP ME? Please don't yell. > IN INTERCEPTED TOPOLOGY WITH TPROXY I HAVE PROBLEM. > > WHAT IS SQUID SOLUTION FOR SITES THAT HAVE MORE THAN ONE IP ADDRESSES? > FOR EXAMPLE SITE LIKE GOOGLE.COM RETURN DIFFERENT IP ADDRESS IN EVERY > REQUEST AND IF CLIENT GET IP ADDRESS FOR EXAMPLE 1.1.1.1 THAT IS > POSSIBLE THAT SQUID GET 2.2.2.2 FOR GOOGLE AND SQUID CAN NOT WORK > PROBABLE AND SHOW FORGERY DETECTED ERROR. > Squid will still serve requests with Host header forgery issues. All that will happen is Squid will not cache the response - so no other clients get corrupted. > IS THERE ANY WAY TO IGNORE THIS OR USE ONLY ONE DNS SERVER OR PREVENT > SQUID OR CLIENT TO NOT RESOLVE URLS? see <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery> Amos > > I use same DNS-Server on my clients and my squid server. > > Is there any configuration directive in squid to does not resolve requested URLs from client or use their resolved IP addresses? > > > I use this configuration: > > acl acl1 clientside_mark ***** > tcp_outgoing_mark ***** acl1 > acl https1 ssl::server_name "/Files/blklist" > ssl_bump bump https1 acl1 > acl url1 dstdomain "/Files/blklist" > acl Regex1 url_regex "/Files/Reglist" > http_access deny Regex1 acl1 > http_access deny url1 acl1 > > > #Http configurations > http_access allow all Do not do that. > http_port 0.0.0.0:3128 > http_port 0.0.0.0:3129 tproxy disable-pmtu-discovery=transparent > > > #Https configurations > reply_header_access Strict-Transport-Security deny all > https_port 3130 tproxy ssl-bump \ > tls-cert=/conf/cert.cer \ > tls-key=/conf/cert.key \ > generate-host-certificates=on dynamic_cert_mem_cache_size=20MB > disable-pmtu-discovery=transparent > sslcrtd_program /usr/lib64/squid/security_file_certgen -s > /var/lib/ssl_db -M 20MB > sslcrtd_children 10 startup=5 idle=1 > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice all > > I got this error messeges: > ... > May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 523: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0) > May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 518: error:00000001:lib(0):func(0):reason(1) (1/0) So TLS is not working. This is your worst problem. > May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Squid Cache (Version 4.7): Terminated abnormally. Please upgrade. Current v4 is 4.11. You may want to consider upgrade to the latest v5 release for better SSL-Bump behaviour. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
