Search squid archive

issues with sslbump and "Host header forgery detected" warnings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




    Hello Everyone,

    I'm trying to setup sslbump for the first time (on squid-4.13) and, at first, things seems to be working. After taking some time to understand the new terms (splice, bump, stare, etc), seems to got things somehow working.

    Actually i'm NOT looking for complete bumping (and decrypting) the connections. During my lab studies, I found out that simply 'splice' the connections is enough for me. I just wanna intercept https connections and have them logged, just the hostname, and that seems to be acchievable without even installing my certificates on the client, as i'm not changing anything, just 'taking a look' on the SNI values of the connection. The connection itself remains end-to-end protected, and that's fine to me. I just wanna have things logged. And that's working just fine.

    However, some connections are failing with the "Host header forgery detected" warnings. Example:

2020/11/06 18:04:21 kid1| SECURITY ALERT: Host header forgery detected on local=216.58.222.106:443 remote=10.4.1.123:39994 FD 73 flags=33 (local IP does not match any domain IP) 2020/11/06 18:04:21 kid1| SECURITY ALERT: on URL: chromesyncpasswords-pa.googleapis.com:443

    and usually a NONE/409 (Conflict) log entry is generated on those. Refreshing once or twice and it will eventually work.

    I have found several discussions on this and I can confirm it happens on hostnames that resolvs to several different IPs or hostnames that, somehow, keeps changing IPs (CDNs or something like that).

    Clients are already using the same DNS server as the squid box, as recommended, but problem is still happening quite a lot. For regular hostnames who translates for a single IP address, things are 100% working.

    Questions:

    - without using WPAD or without configuring proxy on the client devices, is this somehow "fixable" ? Same DNS already being used ...     - is there any chance the NONE/409 (Conflict) logs i'm seeing are not related to this? Maybe these are just WARNINGs and not ERRORs, or these would really cause a fail to the intercepted connection?     - any other hint on this one without having to set proxy, in any way, on the clients? I just wanna have hostnames (and traffic generated) logged, no need for full decrypt (bumping) of the connections.


    Thanks !!!






--


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes@xxxxxxxxxxxxxx
	My SPAMTRAP, do not email it



_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux