Hey, I have been testing both Squid 4.17 and 5.3 (yet to test 6.x) The issue I have seen is pretty annoying operationally. Other products on the market resolve this issue with couple techniques and I assume it shouldn't be a problem to configure it. It's a special case that was raised due to the nature of remote working. I am connection to couple places with a VPN connection which must force the remote DNS for couple services. However, not all the traffic is passed via the VPN connection tunnel. What happens is that the local proxy with ssl bump is using the local Recursive DNS server while the PC uses the VPN DNS server. So, I am trying to access http://www.google.com and boom: I get SSL errors. I have tried to understand the issue and took a packet capture: https://cloud1.ngtech.co.il/squid/1.pcapng I have also seen the cache and access logs which shows the next: # cache.log 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51831 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51832 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51833 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51834 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51835 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51836 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51837 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51838 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51839 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:20 kid1| SECURITY ALERT: Host header forgery detected on local=142.250.179.228:443 remote=10.200.191.171:51840 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:20 kid1| SECURITY ALERT: on URL: www.google.com:443 2022/01/24 09:11:22 kid1| Error negotiating SSL connection on FD 16: error:00000001:lib(0):func(0):reason(1) (1/-1) 2022/01/24 09:11:26 kid1| SECURITY ALERT: Host header forgery detected on local=140.82.112.25:443 remote=10.200.191.171:51842 FD 16 flags=33 (local IP does not match any domain IP) 2022/01/24 09:11:26 kid1| SECURITY ALERT: on URL: alive.github.com:443 ## END # access.log 1643008592.196 4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.196 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.196 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.217 5 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.217 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.217 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.232 4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.233 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.233 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.247 4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.248 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.248 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.265 5 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.266 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.266 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.276 4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.276 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.276 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.291 4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.291 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.291 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.306 4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.306 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.306 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.320 4 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.320 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.320 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008592.336 5 10.200.191.171 NONE/200 0 CONNECT 142.250.179.228:443 - HIER_NONE/- - www.google.com splice 1643008592.336 0 10.200.191.171 NONE/409 4077 CONNECT www.google.com:443 - HIER_NONE/- text/html www.google.com - 1643008592.336 0 10.200.191.171 NONE/000 0 NONE error:transaction-end-before-headers - HIER_NONE/- - - - 1643008594.154 145 10.200.191.171 NONE/200 0 CONNECT 104.21.81.98:443 - ORIGINAL_DST/104.21.81.98 - www.ruby-forum.com bump ## END Squid returns the response: HTTP/1.1 409 Conflict Server: squid/4.17 Mime-Version: 1.0 Date: Mon, 24 Jan 2022 07:13:00 GMT Content-Type: text/html;charset=utf-8 Content-Length: 3680 X-Squid-Error: ERR_CONFLICT_HOST 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from px2-043.ngtech.home X-Cache-Lookup: NONE from px2-043.ngtech.home:3128 Via: 1.1 px2-043.ngtech.home (squid/4.17) Connection: close ... And squid is right indeed. The local DNS has the next DNS resolution for www.google.com > www.google.com Server: [10.200.191.3] Address: 10.200.191.3 Non-authoritative answer: Name: www.google.com Addresses: 2a00:1450:4009:80a::2004 216.58.212.196 While the remote resolution is: > www.google.com Server: DC..XX Address: 192.168.X.X Non-authoritative answer: Name: www.google.com Addresses: 2a00:1450:4009:81d::2004 142.250.179.228 So yes, it's a different IP then expected however squid should have the option(to my understanding) to handle such cases. Maybe disable caching or anything else. The whole server config ie: /etc/squid is at: http://cloud1.ngtech.co.il/squid/support-save-2022-01-24_09:31:10.tar.gz I have created a setup which uses mysql to store and dump specific acls files. It has a nice Makefile with support-save option which dumps many details on the machine including the HW and OS most relevant details. I have tried to patch squid to "fix" the issue but didn't had enough time to resolve it. I hope it will help to add the ability to handle this situation (which in the past I haven't seen the real need for a solution and I was wrong). If any details are missing let me know. I am pretty sure that there is an open bug for this issue and I am more then welcome to get a redirection towards it with a link. Thanks, ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
