<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763">Hi Amos, </div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763">Here is the topology:</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763">client (curl from host running docker) --> squid_child (docker, using ssl-bump with intercept) --> squid_parent (VM with internet connection, https_port without ssl-bump) --> origin server.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763">local - <a href="http://72.19.0.2:443/" rel="noreferrer" target="_blank" style="color:rgb(17,85,204);font-family:sans-serif;font-size:13px;background-color:rgb(255,255,255)">72.19.0.2:443</a> is the container running squid child</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><font color="#073763">remote - </font><span style="color:rgb(80,0,80);font-family:sans-serif;font-size:13px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">remote=</span><a href="http://172.19.0.1:44522/" rel="noreferrer" target="_blank" style="color:rgb(17,85,204);font-family:sans-serif;font-size:13px;background-color:rgb(255,255,255)">172.19.0.1:44522</a><span style="font-family:sans-serif;font-size:13px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><font color="#500050"> </font><font color="#073763">is the host machine where containers are running, I am using a curl to do initial tests. Eventually, request would come from other containers or external hosts on the docker daemon host.</font></span></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763">With http traffic this works fine; wherein the request is forwarded to Parent and then to origin server. However, with https header forgery kicks in and tls is terminated.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:#073763">- Kedar</div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jun 18, 2018 at 9:44 AM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 18/06/18 02:08, Kedar K wrote:<br>
> Hello,<br>
> <br>
> I am hitting this issue when running squid in a docker with ssl parent<br>
> cache_peer.<br>
> <br>
<br>
Can you describe that a bit clearer please? An end-client, two proxies<br>
and origin server makes four HTTP agents involved with this traffic.<br>
<br>
Which of those proxies (and/or server) is inside the container?<br>
<br>
And how are you getting the traffic from the client to the first proxy?<br>
<br>
<br>
> Host header forgery detected on local=11 <a href="http://72.19.0.2:443" rel="noreferrer" target="_blank">72.19.0.2:443</a><br>
> remote=<a href="http://172.19.0.1:44522" rel="noreferrer" target="_blank">172.19.0.1:44522</a> <br>
> FD 15 flags=33 (local IP does not match any domain IP)<br>
> <br>
> The host ip of the docker would not resolve to a domain. How to<br>
> work-around this problem?<br>
<br>
The agent being client for the proxy reporting this message apparently<br>
thinks there is a origin server running at "<a href="http://72.19.0.2:443" rel="noreferrer" target="_blank">72.19.0.2:443</a>" hosting some<br>
domain name. They are trying to contact that origin server.<br>
<br>
<br>
<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><br><div><font face="verdana, sans-serif" size="2" color="#0c343d"><b>- Kedar Kekan</b></font></div></div></div></div></div></div>