[squid-users] SQUID PROBLEM WITH SITES THAT HAVE MORE THAN ONE IP ADDRESSES
Amos Jeffries
squid3 at treenet.co.nz
Mon May 11 09:17:24 UTC 2020
On 11/05/20 8:57 pm, leomessi983 at yahoo.com wrote:
> HI
> COULD YOU PLEASE HELP ME?
Please don't yell.
> IN INTERCEPTED TOPOLOGY WITH TPROXY I HAVE PROBLEM.
>
> WHAT IS SQUID SOLUTION FOR SITES THAT HAVE MORE THAN ONE IP ADDRESSES?
> FOR EXAMPLE SITE LIKE GOOGLE.COM RETURN DIFFERENT IP ADDRESS IN EVERY
> REQUEST AND IF CLIENT GET IP ADDRESS FOR EXAMPLE 1.1.1.1 THAT IS
> POSSIBLE THAT SQUID GET 2.2.2.2 FOR GOOGLE AND SQUID CAN NOT WORK
> PROBABLE AND SHOW FORGERY DETECTED ERROR.
>
Squid will still serve requests with Host header forgery issues. All
that will happen is Squid will not cache the response - so no other
clients get corrupted.
> IS THERE ANY WAY TO IGNORE THIS OR USE ONLY ONE DNS SERVER OR PREVENT
> SQUID OR CLIENT TO NOT RESOLVE URLS?
see <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>
Amos
>
> I use same DNS-Server on my clients and my squid server.
>
> Is there any configuration directive in squid to does not resolve requested URLs from client or use their resolved IP addresses?
>
>
> I use this configuration:
>
> acl acl1 clientside_mark *****
> tcp_outgoing_mark ***** acl1
> acl https1 ssl::server_name "/Files/blklist"
> ssl_bump bump https1 acl1
> acl url1 dstdomain "/Files/blklist"
> acl Regex1 url_regex "/Files/Reglist"
> http_access deny Regex1 acl1
> http_access deny url1 acl1
>
>
> #Http configurations
> http_access allow all
Do not do that.
> http_port 0.0.0.0:3128
> http_port 0.0.0.0:3129 tproxy disable-pmtu-discovery=transparent
>
>
> #Https configurations
> reply_header_access Strict-Transport-Security deny all
> https_port 3130 tproxy ssl-bump \
> tls-cert=/conf/cert.cer \
> tls-key=/conf/cert.key \
> generate-host-certificates=on dynamic_cert_mem_cache_size=20MB
> disable-pmtu-discovery=transparent
> sslcrtd_program /usr/lib64/squid/security_file_certgen -s
> /var/lib/ssl_db -M 20MB
> sslcrtd_children 10 startup=5 idle=1
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice all
>
> I got this error messeges:
>
...
> May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 523: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
> May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 518: error:00000001:lib(0):func(0):reason(1) (1/0)
So TLS is not working. This is your worst problem.
> May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Squid Cache (Version 4.7): Terminated abnormally.
Please upgrade. Current v4 is 4.11.
You may want to consider upgrade to the latest v5 release for better
SSL-Bump behaviour.
Amos
More information about the squid-users
mailing list