[squid-users] url_rewrite_program shows IP addresses instead of domain name when rewriting SSL/HTTPS

Amos Jeffries squid3 at treenet.co.nz
Thu Jul 7 22:52:05 UTC 2016


On 8/07/2016 10:42 a.m., Moataz Elmasry wrote:
> Hi all,
> 
> I just had an idea. Refering to the last email.
> The reason why I'm getting those "Header forgery" errors might be because
> of the defined nat rules. I'm using the following rules:
> 
> iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport 80
> -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> ${MY_IP}:3128
> iptables -t nat -A OUTPUT --match owner --uid-owner proxy -p tcp --dport
> 443 -j ACCEPT
> iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination
> ${MY_IP}:3129
> 
> so, the next thing is I changed the --to-destination lines as follows:
> 
> iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner proxy --dport 443
> -j REDIRECT --to-port 3129
> 
> But no success. Do these nat rules have anything to do with the header
> forgery problem?

Indirectly they do. The existence of NAT is why the security test is
being done. But that is unlikely to be avoidable.

Amos



More information about the squid-users mailing list