ב"ה
I managed to get the ssl splice configurations to work but when I'm splicing for example: play.google.com
I see in cache log the following:
2023/08/29 22:54:53.688 kid1| 33,2| client_side.cc(3214) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for ssl-bump
2023/08/29 22:54:53.700 kid1| 33,2| client_side.cc(3214) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for splice
2023/08/29 22:54:53 kid1| SECURITY ALERT: Host header forgery detected on conn3362 local=172.217.22.110:443 remote=192.168.26.100:55331 FD 540 flags=17 (local IP does not match any domain IP)
current master transaction: master2737
2023/08/29 22:54:53 kid1| SECURITY ALERT: on URL: play.google.com:443
2023/08/29 22:54:53.700 kid1| 33,2| client_side.cc(3214) fakeAConnectRequest: fake a CONNECT request to force connState to tunnel for splice
2023/08/29 22:54:53 kid1| SECURITY ALERT: Host header forgery detected on conn3362 local=172.217.22.110:443 remote=192.168.26.100:55331 FD 540 flags=17 (local IP does not match any domain IP)
current master transaction: master2737
2023/08/29 22:54:53 kid1| SECURITY ALERT: on URL: play.google.com:443
The host header forgery issue for play.google.com is observed only for spliced connections, but when this url is bumped I don't see this error.
Why is splicing making this error?
בתאריך יום ב׳, 28 באוג׳ 2023 ב-13:54 מאת Ben Goz <ben.goz87@xxxxxxxxx>:
ב"הI'm using squid version:nativ@arachimprodsrv3:/usr/local/squid/etc$ /usr/local/squid/sbin/squid -v
Squid Cache: Version 6.1-VCS
Service Name: squid
This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--with-large-files' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-icap-client' '--enable-linux-netfilter' '--disable-ident-lookups'Configured with ssl_bump and tproxy:http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy
https_port 0.0.0.0:3130 tproxy ssl-bump \
cert=/usr/local/squid/etc/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB options=ALL,NO_SSLv3 sslflags=NO_DEFAULT_CAAnd the following configurations:acl NoSSLInterceptRegexp_always ssl::server_name "splice.list"
always_direct allow all
on_unsupported_protocol tunnel
acl DiscoverSNIHost at_step SslBump1
ssl_bump splice NoSSLInterceptRegexp_always
ssl_bump peek DiscoverSNIHost
ssl_bump bump allthe content of the file splice.list:The tproxy redirections works fine with squid server but unfortunately the urls in splice.list bumped although they should be spliced as seen in the access log:1693219853.255 626 192.168.28.254 TCP_MISS/200 64439 GET https://www.prog.co.il/ - HIER_DIRECT/172.67.196.36 text/htmlAnd I see in the browser's certificate viewer my squid self signed certificate.What am I missing here?Thanks,Ben
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
