[squid-users] SECURITY ALARM, once more

Amos Jeffries squid3 at treenet.co.nz
Tue Jun 21 09:09:01 UTC 2016


On 21/06/2016 5:30 a.m., reinerotto wrote:
> I see quite a few messages like this one in my logs:
>  squid[1327]: SECURITY ALERT: on URL: sa.scorecardresearch.com:443
> Running squid 3.5.19-20160524-r14057, https-intercept just for logging, so
> no bump.
> It is understood, that most likely this is because of squids DNS and
> browsers DNS not to be in sync.
> Besides some "big well known sites" especially ad servers are the problem. 
> Having synced all my own  DNS-caches, used by squid or the browsers, finally
> I could get rid of most "SECURITY ALARMS" by disabling browsers internal DNS
> cache, and pre-fetching DNS, both for firefox and chrome.
> Which makes some sense to me, as special DNS-caching policy (60s., fixed,
> for firefox) violates TTL, and DNS-prefetch (both firefox and chrome)
> _might_ elevate the porpability of using a stale IP, in case of fast
> rotation of the IP.

Complicated. All you should need do is setup a local DNS resolver in
your network. If everything uses that, then they all stay in sync
naturally 90-something percent of the time.

> Special settings for the browsers are a bit cumbersome, so the question: Is
> it possible to create a new
> option for squid, to ignore this type of error ?

Squid already does the closest actions to "ignore" that is possible to
safely do. If you think you can do better, you are welcome to try, but
be aware that there are a lot of subtle and complex details involved. So
its not as easy as first appears.

To quieten the log down to only showing critical issues:
  debug_options ALL,0

Amos



More information about the squid-users mailing list