[squid-users] host header forgery check in docker environment

Kedar K mailbox.kedar at gmail.com
Mon Jun 18 04:54:01 UTC 2018

Hi Amos,
Here is the topology:

client (curl from host running docker) --> squid_child (docker, using
ssl-bump with intercept) --> squid_parent (VM with internet connection,
https_port without ssl-bump) --> origin server.

local - is the container running squid child
remote - remote=  is the host machine where containers are
running, I am using a curl to do initial tests. Eventually, request would
come from other containers or external hosts on the docker daemon host.

With http traffic this works fine; wherein the request is forwarded to
Parent and then to origin server. However, with https header forgery kicks
in and tls is terminated.

- Kedar

On Mon, Jun 18, 2018 at 9:44 AM Amos Jeffries <squid3 at treenet.co.nz> wrote:

> On 18/06/18 02:08, Kedar K wrote:
> > Hello,
> >
> > I am hitting this issue when running squid in a docker with ssl parent
> > cache_peer.
> >
> Can you describe that a bit clearer please? An end-client, two proxies
> and origin server makes four HTTP agents involved with this traffic.
>  Which of those proxies (and/or server) is inside the container?
>  And how are you getting the traffic from the client to the first proxy?
> > Host header forgery detected on local=11
> > remote=
> > FD 15 flags=33 (local IP does not match any domain IP)
> >
> > ​The host ip of the docker would not resolve to a domain. How to
> > work-around this problem?​
> The agent being client for the proxy reporting this message apparently
> thinks there is a origin server running at "" hosting some
> domain name. They are trying to contact that origin server.
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


*- Kedar Kekan*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180618/5ca4aa11/attachment-0001.html>

More information about the squid-users mailing list