<div dir="ltr">Dear Amos, thank you so much for your quickly reply .<div>I have tried to replace my SSL config with your suggestion. But my squid get a error like this in cache.log:</div><div><br></div><div><div>2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://216.58.199.110:443">216.58.199.110:443</a> remote=<a href="http://172.18.18.15:55704">172.18.18.15:55704</a> FD 13 flags=33 (local IP does not match any domain IP)</div><div>2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: <a href="http://apis.google.com:443">apis.google.com:443</a></div><div>2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://172.217.25.3:443">172.217.25.3:443</a> remote=<a href="http://172.18.18.15:55705">172.18.18.15:55705</a> FD 17 flags=33 (local IP does not match any domain IP)</div><div>2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: <a href="http://www.google.com.vn:443">www.google.com.vn:443</a></div><div><div>2017/11/25 13:21:53 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://157.240.13.35:443">157.240.13.35:443</a> remote=<a href="http://172.18.18.15:55720">172.18.18.15:55720</a> FD 22 flags=33 (local IP does not match any domain IP)</div><div>2017/11/25 13:21:53 kid1| SECURITY ALERT: on URL: <a href="http://www.facebook.com:443">www.facebook.com:443</a></div></div><div><div>2017/11/25 13:21:54 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://157.240.13.35:443">157.240.13.35:443</a> remote=<a href="http://172.18.18.15:55724">172.18.18.15:55724</a> FD 22 flags=33 (local IP does not match any domain IP)</div><div>2017/11/25 13:21:54 kid1| SECURITY ALERT: on URL: <a href="http://www.facebook.com:443">www.facebook.com:443</a></div></div><div><br></div><div>So i can't access <a href="http://www.facebook.com">www.facebook.com</a>. It's error on my browser : <span style="background-color:rgb(247,247,247);color:rgb(100,100,100);font-family:"Segoe UI",Tahoma,sans-serif;font-size:12px;text-transform:uppercase"><b>ERR_SSL_PROTOCOL_ERROR</b></span></div><div><span style="background-color:rgb(247,247,247);color:rgb(100,100,100);font-family:"Segoe UI",Tahoma,sans-serif;font-size:12px;text-transform:uppercase"><b><br></b></span></div><div>I find out the same issue in this discussion : <a href="http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html">http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html</a></div><div><br></div><div>And then i try to make my squid becomes a cache DNS itself using Unbound. But look like it does'nt work . I get same error before install cache DNS.</div><div>Here is my DNS test on my Squid:</div><div><div><br></div><div>[root@localhost ~]# nslookup</div><div>> <a href="http://google.com">google.com</a></div><div>Server:<span style="white-space:pre"> </span>127.0.0.1</div><div>Address:<span style="white-space:pre"> </span>127.0.0.1#53</div><div><br></div><div>Non-authoritative answer:</div><div>Name:<span style="white-space:pre"> </span><a href="http://google.com">google.com</a></div><div>Address: 216.58.203.46</div></div><div><br></div><div>And this is my dns config in squid.config :</div><div><br></div><div><div># --------- DNS AND IP CACHES [4341]</div><div><br></div><div>dns_nameservers 127.0.0.1</div><div>dns_v4_first on</div><div>#original_dst off</div><div>client_dst_passthru off</div><div>host_verify_strict off</div><div>ignore_unknown_nameservers off</div><div>dns_timeout 120 seconds</div><div>ipcache_size 1024</div><div>ipcache_low 90</div><div>ipcache_high 95</div><div>fqdncache_size 1024</div><div>positive_dns_ttl 6 hours</div><div>negative_dns_ttl 300 seconds</div></div><div><br></div><div>Could you help me please :(</div><div><div class="gmail_extra"><br><div class="gmail_quote">2017-11-24 20:27 GMT+07:00 Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On 25/11/17 02:04, minh hưng đỗ hoàng wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
<br>
<br>
Dear Squid-users,<br>
I want to setup a Squid proxy in transparent mode http/https traffic without any config in Client site.<br>
<br></span>
I use Squid 3.5.20 on Centos7.I just install squid with default feature as *yum install squid.*<br>
*<br>
*<span class="gmail-"><br>
I just do that , but i have some problem with my output logging in access.log .<br>
Specifically, my access.log only show ip_address_server:443 instead domain name of destination server like that :<br>
<br>
<br></span>
*1511525732.912 206 172.18.18.15 TAG_NONE/200 0 CONNECT <a href="http://172.217.24.35:443" rel="noreferrer" target="_blank">172.217.24.35:443</a> - ORIGINAL_DST/<a href="http://172.217.24.35" rel="noreferrer" target="_blank">172.217.24.35</a> -*<br>
*<br>
*<span class="gmail-"><br>
I know that i take some mistake in my squid.conf . But i can't find out how to fix it. Could you please show me how to improve my squid.conf .<br>
<br>
</span></blockquote>
<br>
You configured "ssl_bump none all".<br>
<br>
<<a href="https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/<wbr>Features/SslPeekAndSplice#Acti<wbr>ons</a>><br>
"do not use these with Squid-3.5 and newer"<br>
<br>
<br>
Use this instead:<br>
<br>
acl step1 at_step SslBump1<br>
ssl_bump peek step1<br>
ssl_bump splice all<br>
<br>
<br>
There should be two log entries per HTTPS connection. One before peek happens with raw-IP:port details. And a second one after peek which may have a _server_ name (*not* domain name) if and only if the client sends TLS SNI extension data.<br>
<br>
Amos<br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div><div>Thanks & Best Regards,<br>--------------<br></div>Đỗ Hoàng Minh Hưng<br></div>Gmail : <a href="mailto:hoangminhung@gmail.com" target="_blank">hoangminhung@gmail.com</a><br></div>SĐT : 01234454115<br></div></div></div></div>
</div></div></div></div>