[squid-users] Header forgery detected

Darren Breeze darren at ksn-systems.com
Fri Nov 8 17:53:41 UTC 2019 

Hi All

I am trying to set up squid 3.5 (have to stick with this version) to intercept and https bump / splice, it's all working OK with the exception of some elements of a https site failing to load (the browser just shows "failed"). matched with the failures, I see this type of message in the cache log. 

2019/11/08 17:39:46 kid1| SECURITY ALERT: Host header forgery detected on local=23.213.186.14:443 remote=172.16.3.250:57041 FD 28 flags=33 (local IP does not match any domain IP)
2019/11/08 17:39:46 kid1| SECURITY ALERT: on URL: static1.squarespace.com:443

172.16.3.250 is the clients PC address. 

doing a lookup on the hostname returns

root at cbuild:~/build/ksn-boot/cmake-build-debug/bin# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> static1.squarespace.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
static1.squarespace.com canonical name = prod.squarespace.map.fastly.net.
Name: prod.squarespace.map.fastly.net
Address: 151.101.0.238
Name: prod.squarespace.map.fastly.net
Address: 151.101.64.238
Name: prod.squarespace.map.fastly.net
Address: 151.101.128.238
Name: prod.squarespace.map.fastly.net
Address: 151.101.192.238

so the address is different and points to a CDN endpoint 

14.186.213.23.in-addr.arpa name = a23-213-186-14.deploy.static.akamaitechnologies.com.


The host is ubuntu 18.04 and both squid and the client are using the DNS on the squid box. 

Can anyone please point me where I need to start looking

thanks in advance

Darren B.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191109/664b4d01/attachment.html>

More information about the squid-users mailing list