
<div dir="ltr">Hi<div><br></div><div>I am sorry to come back late on it. I had applied patch and my previous logs were overwritten. Reproduced it today with amazon url ( <span style="color:rgb(0,0,0);font-family:Menlo;font-size:16px;font-variant-ligatures:no-common-ligatures"> </span><span style="color:rgb(0,0,0);font-family:Menlo;font-size:16px;font-variant-ligatures:no-common-ligatures"><a href="http://monitoring.us-west-2.amazonaws.com:443">monitoring.us-west-2.amazonaws.com:443</a> )</span></div><div><br></div><div><span class="gmail-im" style="color:rgb(80,0,80)"><br></span>>> Please clarify "things" and "did not work".<br></div><div><br></div><div>We are getting 409. For example this if or one on amazon url cache.log output</div><div><br></div><div>


<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.703 kid5| 78,8| dns_internal.cc(1126) idnsCallbackAllCallersWithNewAnswer: last 1 records</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.703 kid5| 1,5| CodeContext.cc(60) Entering: master203</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.703 kid5| 78,6| dns_internal.cc(1104) idnsCallbackOneWithAnswer: last 1 records for 0x556b994c6f68</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,3| ipcache.cc(477) ipcacheParse: 1 answers for <a href="http://monitoring.us-west-2.amazonaws.com">monitoring.us-west-2.amazonaws.com</a></span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,7| ipcache.cc(985) have:<span class="gmail-Apple-converted-space">  </span>no 52.94.176.210 in [no cached IPs]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,7| ipcache.cc(985) have:<span class="gmail-Apple-converted-space">  </span>no 52.94.176.210 in [no cached IPs]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,3| ipcache.cc(532) addGood: <a href="http://monitoring.us-west-2.amazonaws.com">monitoring.us-west-2.amazonaws.com</a> #1 52.94.176.210</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,7| ipcache.cc(250) forwardIp: 52.94.176.210</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,3| ipcache.cc(576) ipcacheHandleReply: done with <a href="http://monitoring.us-west-2.amazonaws.com">monitoring.us-west-2.amazonaws.com</a>: 52.94.176.210 #1/1-0</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,7| ipcache.cc(231) finalCallback: 0x556b994c6f88 lookup_wait=1</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 78,7| HttpRequest.cc(595) recordLookup: 0x556b994c6570 lookup_wait=1</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 14,7| ipcache.cc(985) have:<span class="gmail-Apple-converted-space">  </span>no <a href="http://52.94.184.173:443">52.94.184.173:443</a> in 52.94.176.210 #1/1-0</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 85,3| client_side_request.cc(538) hostHeaderIpVerify: FAIL: validate IP <a href="http://52.94.184.173:443">52.94.184.173:443</a> possible from Host:</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| SECURITY ALERT: Host header forgery detected on conn616 local=<a href="http://52.94.184.173:443">52.94.184.173:443</a> remote=<a href="http://10.32.79.33:58260">10.32.79.33:58260</a> FD 28 flags=17 (local IP does not match any domain IP)</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span>current master transaction: master203</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| SECURITY ALERT: on URL: <a href="http://monitoring.us-west-2.amazonaws.com:443">monitoring.us-west-2.amazonaws.com:443</a></span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="gmail-Apple-converted-space">    </span>current master transaction: master203</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 20,3| store.cc(769) storeCreatePureEntry: storeCreateEntry: '<a href="http://monitoring.us-west-2.amazonaws.com:443">monitoring.us-west-2.amazonaws.com:443</a>'</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 20,5| store.cc(349) StoreEntry: StoreEntry constructed, this=0x556b994f0200</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 19,9| stmem.cc(376) mem_hdr: 0x556b994ef648 hi: 0</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 20,3| MemObject.cc(100) MemObject: MemObject constructed, this=0x556b994ef620</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,7| HttpHeader.cc(155) HttpHeader: init-ing hdr: 0x556b994ef788 owner: 3</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,9| HttpHeader.cc(829) getList: 0x556b994ef788 joining for id Connection[12]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,9| HttpHeader.cc(829) getList: 0x556b994ef788 joining for id Proxy-Connection[50]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,9| HttpHeader.cc(1009) has: 0x556b994ef788 lookup for Expires[27]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 88,3| MemObject.cc(83) setUris: 0x556b994ef620 storeId: <a href="http://monitoring.us-west-2.amazonaws.com:443">monitoring.us-west-2.amazonaws.com:443</a></span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 20,3| store.cc(443) lock: storeCreateEntry locked key [null_store_key] e:=V/0x556b994f0200*1</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 20,3| store.cc(569) setPrivateKey: 01 e:=V/0x556b994f0200*1</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 20,3| store.cc(421) hashInsert: StoreEntry::hashInsert: Inserting Entry e:=XIV/0x556b994f0200*1 key '0C000000000000003400000005000000'</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 4,4| errorpage.cc(717) errorAppendEntry: storing ERR_CONFLICT_HOST in e:=XIV/0x556b994f0200*1</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,7| HttpHeader.cc(155) HttpHeader: init-ing hdr: 0x556b994ef8b8 owner: 3</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,9| HttpHeader.cc(829) getList: 0x556b994ef8b8 joining for id Connection[12]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,9| HttpHeader.cc(829) getList: 0x556b994ef8b8 joining for id Proxy-Connection[50]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,9| HttpHeader.cc(1009) has: 0x556b994ef8b8 lookup for Expires[27]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 55,9| HttpHeader.cc(829) getList: 0x556b994c6588 joining for id Accept-Language[3]</span></p>

<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;font-kerning:auto;font-feature-settings:normal;font-stretch:normal;font-size:16px;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class="gmail-s1" style="font-variant-ligatures:no-common-ligatures">2023/05/30 10:38:04.704 kid5| 4,2| errorpage.cc(1386) buildBody: No existing error page language negotiated for ERR_CONFLICT_HOST. Using default error file.</span></p></div><div><br></div><div><br></div><div>Regards</div><div>Sachin</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 16, 2023 at 7:33 PM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 16/05/2023 6:52 pm, sachin gupta wrote:<br>

> Hi<br>

> We recently shifted to squid 5.9 and started seeing errors in <br>

> Transparent mode SECURITY ALERT: Host header forgery detected on <br>

> conn3615903 local=<a href="http://44.242.184.237:443" rel="noreferrer" target="_blank">44.242.184.237:443</a> <<a href="http://44.242.184.237:443" rel="noreferrer" target="_blank">http://44.242.184.237:443</a>> <br>

> remote=<a href="http://10.109.176.240:8990" rel="noreferrer" target="_blank">10.109.176.240:8990</a> <<a href="http://10.109.176.240:8990" rel="noreferrer" target="_blank">http://10.109.176.240:8990</a>> FD 28029 <br>

> flags=17 (local IP does not match any domain IP)<br>

<br>

This is not a error, it is a alert to what is going on. The client <br>

10.109.176.240 is trying to connect to 44.242.184.237 requesting a <br>

domain which DNS says is **not** hosted there.<br>

<br>

What happens next depends on what Squid is able to do given the <br>

transaction type.<br>

Some are rejected as unable to continue, some are allowed to complete <br>

under restricted handling.<br>

<br>

> Previously we were using <br>

> <a href="https://github.com/NethServer/dev/issues/5348" rel="noreferrer" target="_blank">https://github.com/NethServer/dev/issues/5348</a>. In addition we are <br>

> using client_dst_passthru off. When building 5.9, the patch was not <br>

> applied cleanly and we wanted to check if things worked without this <br>

> patch. They did not work.<br>

<br>

Please clarify "things" and "did not work".<br>

<br>

> I did check the forum responses <br>

> <a href="https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery" rel="noreferrer" target="_blank">https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery</a>. and <br>

> <a href="https://docs.diladele.com/faq/squid/host_header_forgery.html" rel="noreferrer" target="_blank">https://docs.diladele.com/faq/squid/host_header_forgery.html</a>. We <br>

> already support explicit proxy but that is not always an option. We <br>

> can create another patch to circumvent issues like ***. But I wanted <br>

> to know if there is a plan to make this check optional or there is <br>

> some way we can workaround this problem without changing the code. <br>

> Without this support, how can intercept mode work for any website <br>

> which is behind a loadbalancer with multiple IPs.<br>

<br>

More recent version of Squid allow some more CONNECT traffic cases be <br>

handled instead of rejected.<br>

There are also some ideas on further improvements, but those are a long <br>

way off.<br>

<br>

Cheers<br>

Amos<br>

<br>

_______________________________________________<br>

squid-users mailing list<br>

<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>

<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>

</blockquote></div>