Same here—I've been meaning to ask the list about this too. I’m still on 3.5.9, by the way.
> On 6 Oct 2015, at 10:55 PM, Roel van Meer <r...@1afa.com> wrote: > > Hi everyone, > > I have a Squid setup on a linux box with transparent interception of both > http and https traffic. Everything worked fine with Squid 3.5.6. After > upgrading to version 3.5.10, I get many warnings about host header forgery: > > SECURITY ALERT: Host header forgery detected on local=104.46.50.125:443 > remote=192.168.9.126:52588 FD 22 flags=33 (local IP does not match any domain > IP) > SECURITY ALERT: By user agent: > SECURITY ALERT: on URL: nexus.officeapps.live.com:443 > > These warnings all seem to occur for https web sites that use multiple DNS > records. The warnings coincide with the fact that the clients are unable to > get the requested page. > > I've read the wiki page > http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery > and I can assert that: > - we do NAT on the same box that is running Squid > - both squid and the clients use the same DNS server > > I've also tested 3.5.9, and this version also showed these warnings. > Version 3.5.7 worked fine, and 3.5.8 did too. > > So, one of the changes in 3.5.9 caused this behaviour. > > Can anyone shed some more light on this? Is this a problem in my setup that > surfaced with 3.5.9, or is it a problem in Squid? > > Thanks a lot for any help, > > Roel > > > My (abbreviated) config: > > http_port 192.168.9.1:3128 ssl-bump cert=/etc/ssl/certs/server.pem > http_port 192.168.9.1:3129 intercept > https_port 192.168.9.1:3130 intercept ssl-bump cert=/etc/ssl/certs/server.pem > icp_port 0 > > acl step1 at_step SslBump1 > acl step2 at_step SslBump2 > acl step3 at_step SslBump3 > > acl port-direct myportname 192.168.9.1:3128 > ssl_bump none port-direct > acl port-trans_https myportname 192.168.9.1:3130 > external_acl_type sni children-max=3 children-startup=1 %URI %SRC %METHOD > %ssl::>sni /usr/bin/squidGuard-aclsni > acl checksni external sni > > ssl_bump peek port-trans_https step1 > ssl_bump terminate port-trans_https step2 checksni > ssl_bump splice port-trans_https all > > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > > > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
