[squid-users] Fwd: [Squid-3.5.20]Squid transparent proxy http/https without client site config

Amos Jeffries squid3 at treenet.co.nz
Sat Nov 25 11:17:24 UTC 2017 

On 25/11/17 19:40, minh hưng đỗ hoàng wrote:
> Dear Amos, thank you so much for your quickly reply .
> I have tried to replace my SSL config with your suggestion. But my squid 
> get a error like this in cache.log:
> 
> 2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected 
> on local=216.58.199.110:443 
> remote=172.18.18.15:55704 FD 13 flags=33 
> (local IP does not match any domain IP)

...
> 
> So i can't access www.facebook.com. It's error 
> on my browser : *ERR_SSL_PROTOCOL_ERROR*
> *


> *
> I find out the same issue in this discussion : 
> http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html
> 

The more complete info about that problem, the things to avoid, and the 
workarounds that help reduce it can be found at 
<https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>

Be aware that there is no full solution yet. The latest Squid-4 and 
Squid-5 functionality is getting closer to coping with these services, 
but still not complete.


> And then i try to make my squid becomes a cache DNS itself using 
> Unbound. But look like it does'nt work . I get same error before install 
> cache DNS.

Not just the Squid machine but *all* the clients going through your 
Squid also have to be using the same DNS resolver for that workaround. 
Any of them using other resolvers (eg 8.8.8.8 or similar services) 
*will* hit these errors.


> Here is my DNS test on my Squid:
> 
> [root at localhost ~]# nslookup google.com 
> Server:127.0.0.1
> Address:127.0.0.1#53
> 
> Non-authoritative answer:
> Name:google.com
> Address: 216.58.203.46
> 

"google.com" is not your problem. The domain names in the log are:

  apis.google.com    != 216.58.199.110
  www.google.com.vn  != 172.217.25.3
  www.facebook.com   != 157.240.13.35

Also, be aware that the problem is extremely temporary. It can change 
between failed and working in any random millisecond. So testing even a 
few seconds later often shows different results.


> And this is my dns config in squid.config :
> 
> # --------- DNS AND IP CACHES [4341]
> 
> dns_nameservers 127.0.0.1
> dns_v4_first on
> #original_dst off
> client_dst_passthru off

The above setting is rejecting clients when the host verify fails.
TO let traffic through the proxy when host-verify fails set it back to 
the default "client_dst_passthru on".

The Host verify failure is most dangerous when cached - so that is 
always prohibited. But upstream routing is difficult for Squid to 
determine - thus that config option. It is left up to you whether you 
risk your clients getting infected by that mechanism - Squid just 
minimizes the damage and risk by limiting it to the one client making 
the suspicious request.

Amos

More information about the squid-users mailing list