[squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

minh hưng đỗ hoàng hoangminhung at gmail.com
Wed Nov 29 12:34:38 UTC 2017


Dear Amos,
Sorry for concluded hurriedly.
When i do a test with 1 user, it's seem ok, no more Aler from cache.log.
But when i test with more users, the Alert log from cache.log happen again.
And so i can't access some https page as chatwork.com , facebook.com

2017/11/29 18:06:41 kid1| SECURITY ALERT: Host header forgery detected on
local=54.238.137.130:443 remote=172.16.255.10:61831 FD 131 flags=33 (local
IP does not match any domain IP)
2017/11/29 18:06:41 kid1| SECURITY ALERT: on URL: www.chatwork.com:443
2017/11/29 18:06:48 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.8:443 remote=172.16.255.51:54984 FD 173 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:06:48 kid1| SECURITY ALERT: on URL: api.facebook.com:443
2017/11/29 18:08:07 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.12:443 remote=172.16.255.51:54990 FD 51 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:08:07 kid1| SECURITY ALERT: on URL: static.xx.fbcdn.net:443
2017/11/29 18:08:50 kid1| SECURITY ALERT: Host header forgery detected on
local=172.217.24.197:443 remote=172.16.255.10:61866 FD 34 flags=33 (local
IP does not match any domain IP)
2017/11/29 18:08:50 kid1| SECURITY ALERT: on URL: mail.google.com:443
2017/11/29 18:09:43 kid1| SECURITY ALERT: Host header forgery detected on
local=13.113.80.172:443 remote=172.16.255.10:61890 FD 124 flags=33 (local
IP does not match any domain IP)
2017/11/29 18:09:43 kid1| SECURITY ALERT: on URL: ws-chatwork.pusher.com:443
2017/11/29 18:10:59 kid1| WARNING: 1 swapin MD5 mismatches
2017/11/29 18:11:00 kid1| SECURITY ALERT: Host header forgery detected on
local=157.240.15.22:443 remote=172.16.255.51:55032 FD 93 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:11:00 kid1| SECURITY ALERT: on URL: connect.facebook.net:443
2017/11/29 18:13:15 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.36:443 remote=172.16.255.12:33158 FD 25 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:13:15 kid1| SECURITY ALERT: on URL: www.facebook.com:443
2017/11/29 18:14:00 kid1| SECURITY ALERT: Host header forgery detected on
local=31.13.95.34:443 remote=172.16.255.59:39526 FD 74 flags=33 (local IP
does not match any domain IP)
2017/11/29 18:14:00 kid1| SECURITY ALERT: on URL: mqtt-mini.facebook.com:443


I have a Mikrotik router (172.16.1.1), and some Lan Local. With every Lan,
my DHCP allocates DNS, gateway to my LAN. Ext : 172.16.255.0/24 with
gateway : 172.16.255.254 and DNS 172.16.255.254
- Mikrotik config with Cache DNS from 8.8.8.8
- Squid use DNS 172.16.1.1 ( Mikrotik DNS)
- Squid config DNS to 172.16.1.1
- Client use DNS allocated by DHCP (but there is still Mikrotik router)

Here is my full squid.conf :

#Allollow LAN Network

# Allow Network ACL Allow/Deny Section#
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl Safe_ports port 1025-65535

acl CONNECT method CONNECT
acl fb dstdomain .facebook.com

#http_access deny CONNECT fb

http_access allow localhost
http_access allow all


# Transparent Proxy Parameters
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=off
cert=/etc/squid/ssl_cert/squid-3.5.27.pem

### SSL config ###
#-Start-#
#ssl_bump none all
 acl step1 at_step SslBump1
 ssl_bump peek step1
 ssl_bump splice all
#-End-#

# --------- Add X-Forwarded-for in headers [0]?
#-Start-#
forwarded_for transparent
#-End-#

debug_options ALL,1

log_fqdn on
emulate_httpd_log on
icap_enable on

global_internal_static on
short_icon_urls on
log_uses_indirect_client         on


# --------- DNS AND IP CACHES [4341]

dns_nameservers 172.16.1.1
dns_v4_first on
host_verify_strict off
ignore_unknown_nameservers off
dns_timeout 120 seconds
ipcache_size 1024
ipcache_low 90
ipcache_high 95
fqdncache_size 1024
positive_dns_ttl 6 hours
negative_dns_ttl 300 seconds
---------------------------------------------------------

Could you please help me . Thanks & Best Regards,

2017-11-28 17:32 GMT+07:00 minh hưng đỗ hoàng <hoangminhung at gmail.com>:

> Dear Amos,
> I solved my problem by following this :
> 1 - I used my Mikrotik router as a cache DNS
> 2 - Both Squid proxy and my client use Mikrotik' DNS
>
> => It no more take alert from cache.log
>
> Thanks alot :)
> --
> Thanks & Best Regards,
> --------------
> Đỗ Hoàng Minh Hưng
> Gmail : hoangminhung at gmail.com
> SĐT : 01234454115
>



-- 
Thanks & Best Regards,
--------------
Đỗ Hoàng Minh Hưng
Gmail : hoangminhung at gmail.com
SĐT : 01234454115
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20171129/45614bc1/attachment.html>


More information about the squid-users mailing list