[squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

[minh hưng đỗ hoàng]

Dear Amos, thank you so much for your quickly reply .
I have tried to replace my SSL config with your suggestion. But my squid
get a error like this in cache.log:

2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on
local=216.58.199.110:443 remote=172.18.18.15:55704 FD 13 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: apis.google.com:443
2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on
local=172.217.25.3:443 remote=172.18.18.15:55705 FD 17 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: www.google.com.vn:443
2017/11/25 13:21:53 kid1| SECURITY ALERT: Host header forgery detected on
local=157.240.13.35:443 remote=172.18.18.15:55720 FD 22 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:53 kid1| SECURITY ALERT: on URL: www.facebook.com:443
2017/11/25 13:21:54 kid1| SECURITY ALERT: Host header forgery detected on
local=157.240.13.35:443 remote=172.18.18.15:55724 FD 22 flags=33 (local IP
does not match any domain IP)
2017/11/25 13:21:54 kid1| SECURITY ALERT: on URL: www.facebook.com:443

So i can't access www.facebook.com. It's error on my browser :
*ERR_SSL_PROTOCOL_ERROR*

I find out the same issue in this discussion :
http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html

And then i try to make my squid becomes a cache DNS itself using Unbound.
But look like it does'nt work . I get same error before install cache DNS.
Here is my DNS test on my Squid:

[root at localhost ~]# nslookup
> google.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: google.com
Address: 216.58.203.46

And this is my dns config in squid.config :

# --------- DNS AND IP CACHES [4341]

dns_nameservers 127.0.0.1
dns_v4_first on
#original_dst off
client_dst_passthru off
host_verify_strict off
ignore_unknown_nameservers off
dns_timeout 120 seconds
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
positive_dns_ttl 6 hours
negative_dns_ttl 300 seconds

Could you help me please :(

2017-11-24 20:27 GMT+07:00 Amos Jeffries <squid3 at treenet.co.nz>:

> On 25/11/17 02:04, minh hưng đỗ hoàng wrote:
>
>>
>>
>> Dear Squid-users,
>> I want to setup a Squid proxy in transparent mode http/https traffic
>> without any config in Client site.
>>
>> I use Squid 3.5.20 on Centos7.I just install squid with default feature
>> as *yum install squid.*
>> *
>> *
>> I just do that , but i have some problem with my output logging in
>> access.log .
>> Specifically, my access.log only show ip_address_server:443 instead
>> domain name of destination server like that :
>>
>>
>> *1511525732.912    206 172.18.18.15 TAG_NONE/200 0 CONNECT
>> 172.217.24.35:443 - ORIGINAL_DST/172.217.24.35 -*
>> *
>> *
>> I know that i take some mistake in my squid.conf . But i can't find out
>> how to fix it. Could you please show me how to improve my squid.conf .
>>
>>
> You configured "ssl_bump none all".
>
> <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions>
> "do not use these with Squid-3.5 and newer"
>
>
> Use this instead:
>
>  acl step1 at_step SslBump1
>  ssl_bump peek step1
>  ssl_bump splice all
>
>
> There should be two log entries per HTTPS connection. One before peek
> happens with raw-IP:port details. And a second one after peek which may
> have a _server_ name (*not* domain name) if and only if the client sends
> TLS SNI extension data.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>



-- 
Thanks & Best Regards,
--------------
Đỗ Hoàng Minh Hưng
Gmail : hoangminhung at gmail.com
SĐT : 01234454115
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171125/9d08651a/attachment.html>