<div dir="ltr"><p style="font-size:12.8px">Browser i used to test runs on same machine with squid,  i changed it to explicit mode(no intercept - I set proxy ip in browser) during my attempts for ssl interception. Sorry I forgot to mention that in my last post of logs. So xff localhost is normal I guess. Here is the request log with  port info:<br></p><p dir="ltr" style="font-size:12.8px">----------</p><p dir="ltr" style="font-size:12.8px">2016/06/27 15:49:40.909 kid1| 11,2| http.cc(2234) sendRequest: HTTP Server local=<a href="http://10.100.136.56:47772/" target="_blank">10.100.136.56:47772</a> remote=<a href="http://188.125.93.100:443/" target="_blank">188.125.93.100:443</a> FD 47 flags=1</p><p dir="ltr" style="font-size:12.8px">2016/06/27 15:49:40.909 kid1| 11,2| http.cc(2235) sendRequest: HTTP Server REQUEST:</p><p dir="ltr" style="font-size:12.8px">---------</p><span class="im" style="font-size:12.8px"><p dir="ltr">GET / HTTP/1.1</p><p dir="ltr">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</p><p dir="ltr">Upgrade-Insecure-Requests: 1</p><p dir="ltr">User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36</p><p dir="ltr">Accept-Encoding: gzip, deflate, sdch</p><p dir="ltr">Accept-Language: tr,en-US;q=0.8,en;q=0.6</p><p dir="ltr">..</p></span><p dir="ltr" style="font-size:12.8px">Host: <a href="http://www.flickr.com/" target="_blank">www.flickr.com</a><br></p><span class="im" style="font-size:12.8px"><p dir="ltr">Via: 1.1 ubuntuozgen (squid/3.5.19)</p><p dir="ltr">Surrogate-Capability: ubuntuozgen="Surrogate/1.0 ESI/1.0"</p><p dir="ltr">X-Forwarded-For: ::1</p></span><p dir="ltr" style="font-size:12.8px">Cache-Control: max-age=259200</p><p dir="ltr" style="font-size:12.8px">Connection: keep-alive</p><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 27, 2016 at 2:27 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 27/06/2016 11:01 p.m., Ozgur Batur wrote:<br>
> Yes that is much easier, thank you.<br>
><br>
> Rafaels line is response header, I received the same. Here is the related<br>
> cachelog:<br>
><br>
<br>
</span>What is the content of the line above this one. With the IP:port details ?<br>
<span class=""><br>
> 2016/06/27 13:52:49.194 kid1| 11,2| http.cc(2235) sendRequest: HTTP Server<br>
> REQUEST:<br>
> GET / HTTP/1.1<br>
> Accept:<br>
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br>
> Upgrade-Insecure-Requests: 1<br>
> User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like<br>
> Gecko) Ubuntu Chromium/50.0.2661.102 Chrome/50.0.2661.102 Safari/537.36<br>
> Accept-Encoding: gzip, deflate, sdch<br>
> Accept-Language: tr,en-US;q=0.8,en;q=0.6<br>
> ...<br>
> Host: <a href="http://www.flickr.com" rel="noreferrer" target="_blank">www.flickr.com</a><br>
> Via: 1.1 ubuntuozgen (squid/3.5.19)<br>
> Surrogate-Capability: ubuntuozgen="Surrogate/1.0 ESI/1.0"<br>
> X-Forwarded-For: ::1<br>
<br>
</span>You said this was using interception. But Squid XFF is telling Yahoo<br>
that its receiving localhost traffic.<br>
<br>
Try "forwarded_for transparent" in your squid.conf, and find out why<br>
that ::1 is happening on an intercepted proxy. There may be a bug in<br>
your NAT or routing configuration.<br>
<div><div class="h5"><br>
<br>
> Cache-Control: max-age=0<br>
> Connection: keep-alive<br>
><br>
> ..<br>
> 2016/06/27 13:52:49.477 kid1| 11,2| http.cc(751) processReplyHeader: HTTP<br>
> Server REPLY:<br>
> ---------<br>
> HTTP/1.1 301 Moved Permanently<br>
> X-Frame-Options: SAMEORIGIN<br>
> X-Content-Type-Options: nosniff<br>
> X-XSS-Protection: 1; mode=block<br>
> X-Served-By: <a href="http://pprd1-node552-lh1.manhattan.bf1.yahoo.com" rel="noreferrer" target="_blank">pprd1-node552-lh1.manhattan.bf1.yahoo.com</a><br>
> X-Instance: <a href="http://flickr.v1.production.manhattan.bf1.yahoo.com" rel="noreferrer" target="_blank">flickr.v1.production.manhattan.bf1.yahoo.com</a><br>
> Cache-Control: no-cache, max-age=0, must-revalidate, no-store<br>
> Pragma: no-cache<br>
> X-Request-Id: 36e709a2<br>
> Location: <a href="https://www.flickr.com/" rel="noreferrer" target="_blank">https://www.flickr.com/</a><br>
> Vary: Accept<br>
> Content-Type: text/html; charset=utf-8<br>
> Content-Length: 102<br>
> Server: ATS<br>
> Date: Mon, 27 Jun 2016 10:52:40 GMT<br>
> Age: 0<br>
> Via: http/1.1 <a href="http://fts111.flickr.bf1.yahoo.com" rel="noreferrer" target="_blank">fts111.flickr.bf1.yahoo.com</a> (ApacheTrafficServer [cMs f ]),<br>
> http/1.1 <a href="http://r11.ycpi.dea.yahoo.net" rel="noreferrer" target="_blank">r11.ycpi.dea.yahoo.net</a> (ApacheTrafficServer [cMs f ])<br>
> Connection: keep-alive<br>
> ..<br>
><br>
> And this repeats on and on. As I understand disabling Via header is an<br>
> acceptable solution. If I could disable the header only for problematic<br>
> domains that would be better of course.<br>
<br>
</div></div>Okay. Unfortunately not possible. If that forwarded_for change works it<br>
would be better than disabling Via.<br>
<span class="HOEnZb"><font color="#888888"><br>
Amos<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">H Özgür Batur</div>
</div></div>