Re: [squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

2015-10-08 Thread Roel van Meer
Eliezer Croitoru writes: Are the users and proxy using different dns server? No, they are using the same server. Can you run dig from the proxy on this domain and dump the content to verify that the ip is indeed there? I'm currently running with 3.5.8 again, so I'll have to find a quiet h

[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

2015-10-06 Thread Roel van Meer
Hi everyone, I have a Squid setup on a linux box with transparent interception of both http and https traffic. Everything worked fine with Squid 3.5.6. After upgrading to version 3.5.10, I get many warnings about host header forgery: SECURITY ALERT: Host header forgery detected on local=10

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome [SOLVED]

2015-03-10 Thread Roel van Meer
Roel van Meer writes: >> > I'm using squid 3.5.2 built with openssl 0.9.8zc on Slackware 13.1. >> > Traffic is redirected from port 443 top 3130 with iptables. >> >> ... and with an older version of OpenSSL missing many of the last few >> years worth

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome

2015-03-10 Thread Roel van Meer
Amos Jeffries writes: see Nathan Hoads thread just the other day about a setup same as yours NOT working. There are two patches that need applying. One already in the 3.5 series snapshots to fix SNI on some traffic cases, one still in QA review for adding an ACL "server_name" that can match SNI

Re: [squid-users] peek/splice working with lynx but not with firefox or chrome

2015-03-10 Thread Roel van Meer
Amos Jeffries writes: > The relevant portions of squid.conf: > > https_port 192.168.13.1:3130 intercept ssl-bump options=ALL > cert=/etc/ssl/certs/server.pem With "options=ALL" you have enabled all features in the OpenSSL library including features which can cause the popular modern browsers t

[squid-users] peek/splice working with lynx but not with firefox or chrome

2015-03-10 Thread Roel van Meer
Hi list! I'm trying to get peek/splice working with intercepted https connections. The final goal is to accept or reject connections based on the SNI info that we get from the first peek. So first, I would like to be able to do peek/splice on all requests, and then later I can use an extern

Re: [squid-users] Fast acl for ip-based url

2015-03-10 Thread Roel van Meer
Amos Jeffries writes: > is there a fast acl to match ip-based urls? > > I would have thought to use dstdom_regex, but the docs say that a > reverse lookup is done if no match is found, which means (I think) that > it will become a slow acl for all regular urls. dtsdom* will only do a lookup if

[squid-users] Fast acl for ip-based url

2015-03-10 Thread Roel van Meer
Hi list, is there a fast acl to match ip-based urls? I would have thought to use dstdom_regex, but the docs say that a reverse lookup is done if no match is found, which means (I think) that it will become a slow acl for all regular urls. Thanks, Roel _