[squid-users] host header forgery check in docker environment
mailbox.kedar at gmail.com
Mon Jun 18 04:54:01 UTC 2018
Here is the topology:
client (curl from host running docker) --> squid_child (docker, using
ssl-bump with intercept) --> squid_parent (VM with internet connection,
https_port without ssl-bump) --> origin server.
local - 188.8.131.52:443 is the container running squid child
remote - remote=172.19.0.1:44522 is the host machine where containers are
running, I am using a curl to do initial tests. Eventually, request would
come from other containers or external hosts on the docker daemon host.
With http traffic this works fine; wherein the request is forwarded to
Parent and then to origin server. However, with https header forgery kicks
in and tls is terminated.
On Mon, Jun 18, 2018 at 9:44 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 18/06/18 02:08, Kedar K wrote:
> > Hello,
> > I am hitting this issue when running squid in a docker with ssl parent
> > cache_peer.
> Can you describe that a bit clearer please? An end-client, two proxies
> and origin server makes four HTTP agents involved with this traffic.
> Which of those proxies (and/or server) is inside the container?
> And how are you getting the traffic from the client to the first proxy?
> > Host header forgery detected on local=11 184.108.40.206:443
> > remote=172.19.0.1:44522
> > FD 15 flags=33 (local IP does not match any domain IP)
> > The host ip of the docker would not resolve to a domain. How to
> > work-around this problem?
> The agent being client for the proxy reporting this message apparently
> thinks there is a origin server running at "220.127.116.11:443" hosting some
> domain name. They are trying to contact that origin server.
> squid-users mailing list
> squid-users at lists.squid-cache.org
*- Kedar Kekan*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users