[squid-users] host_verify_check behaviour in intercept mode for domain behind Loadbalancer ( multiple IPs )

sachin gupta sachin1.g at gmail.com
Tue May 16 06:52:40 UTC 2023


Hi

We recently shifted to squid 5.9 and started seeing errors in Transparent mode

SECURITY ALERT: Host header forgery detected on conn3615903
local=44.242.184.237:443 remote=10.109.176.240:8990 FD 28029 flags=17
(local IP does not match any domain IP)

Previously we were using
https://github.com/NethServer/dev/issues/5348. In addition we are
using client_dst_passthru off. When building 5.9, the patch was not
applied cleanly and we wanted to check if things worked without this
patch. They did not work.

I did check the forum responses
https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery. and
https://docs.diladele.com/faq/squid/host_header_forgery.html. We
already support explicit proxy but that is not always an option. We
can create another patch to circumvent issues like  in
https://github.com/NethServer/dev/issues/5348. But I wanted to know if
there is a plan to make this check optional or there is some way we
can workaround this problem without changing the code. Without this
support, how can intercept mode work for any website which is behind a
loadbalancer with multiple IPs.

Regards
Sachin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230516/504013a2/attachment.htm>


More information about the squid-users mailing list