[squid-users] ipsec and squid https intercept

Amos Jeffries squid3 at treenet.co.nz
Sat Jul 6 15:27:02 UTC 2019


On 6/07/19 11:51 pm, leomessi983 wrote:
> Hi
> I use 2 server that connected to each other with IPsec tunnel.
> 
> client >>>> Server1 ======ipsec tunnel======Server2>>>>Internat
> 
> I configured Nat in Server2 toward internet and I use squid with tproxy
> and ssl bump configuration to intercept https requests!
> without ipsec tunnel my squid server work fine and also when I disable
> squid in server2 and only use IPsec tunnel everythig is going fine but
> when I enable squid with IPsec tunnel my client in their browsers get
> SSL_ERROR_RX_RECORD_TOO_LONG error and squid cache.log show this errors:
> 
> "JulĀ  6 15:44:59 *****: 2019/07/06
> 15:44:59| SECURITY ALERT: on URL: mobile.pipe.aria.microsoft.com:443
> JulĀ  6 15:44:59 *****: 2019/07/06
> 15:44:59| SECURITY ALERT: Host header forgery detected on
> local=a.b.c.d:443 remote=10.0.0.110:60270 FD 12 flags=17 (local IP
> does not match any domain IP)"
> 
> I checked my DNS configuration in clients and squid server and they are
> both same and are 8.8.8.8!
> 

Each query to the 8.8.8.8 servers produces different results. Which
defeats the purpose of having the DNS resolver set to the same thing.

You need to have a local resolver which the two share. That local
resolver can be forwarding to 8.8.8.8 if you really want to.


Which version of Squid are you running? that RX_RECORD error usually
means the other endpoint is not sending TLS. Older versions of Squid
might be sending out a plain-text HTTP response.

Amos


More information about the squid-users mailing list