Dear Amos, thank you so much for your quickly reply . I have tried to replace my SSL config with your suggestion. But my squid get a error like this in cache.log:
2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on local=216.58.199.110:443 remote=172.18.18.15:55704 FD 13 flags=33 (local IP does not match any domain IP) 2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: apis.google.com:443 2017/11/25 13:21:49 kid1| SECURITY ALERT: Host header forgery detected on local=172.217.25.3:443 remote=172.18.18.15:55705 FD 17 flags=33 (local IP does not match any domain IP) 2017/11/25 13:21:49 kid1| SECURITY ALERT: on URL: www.google.com.vn:443 2017/11/25 13:21:53 kid1| SECURITY ALERT: Host header forgery detected on local=157.240.13.35:443 remote=172.18.18.15:55720 FD 22 flags=33 (local IP does not match any domain IP) 2017/11/25 13:21:53 kid1| SECURITY ALERT: on URL: www.facebook.com:443 2017/11/25 13:21:54 kid1| SECURITY ALERT: Host header forgery detected on local=157.240.13.35:443 remote=172.18.18.15:55724 FD 22 flags=33 (local IP does not match any domain IP) 2017/11/25 13:21:54 kid1| SECURITY ALERT: on URL: www.facebook.com:443 So i can't access www.facebook.com. It's error on my browser : *ERR_SSL_PROTOCOL_ERROR* I find out the same issue in this discussion : http://lists.squid-cache.org/pipermail/squid-users/2016-June/011014.html And then i try to make my squid becomes a cache DNS itself using Unbound. But look like it does'nt work . I get same error before install cache DNS. Here is my DNS test on my Squid: [root@localhost ~]# nslookup > google.com Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: google.com Address: 216.58.203.46 And this is my dns config in squid.config : # --------- DNS AND IP CACHES [4341] dns_nameservers 127.0.0.1 dns_v4_first on #original_dst off client_dst_passthru off host_verify_strict off ignore_unknown_nameservers off dns_timeout 120 seconds ipcache_size 1024 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 positive_dns_ttl 6 hours negative_dns_ttl 300 seconds Could you help me please :( 2017-11-24 20:27 GMT+07:00 Amos Jeffries <squ...@treenet.co.nz>: > On 25/11/17 02:04, minh hưng đỗ hoàng wrote: > >> >> >> Dear Squid-users, >> I want to setup a Squid proxy in transparent mode http/https traffic >> without any config in Client site. >> >> I use Squid 3.5.20 on Centos7.I just install squid with default feature >> as *yum install squid.* >> * >> * >> I just do that , but i have some problem with my output logging in >> access.log . >> Specifically, my access.log only show ip_address_server:443 instead >> domain name of destination server like that : >> >> >> *1511525732.912 206 172.18.18.15 TAG_NONE/200 0 CONNECT >> 172.217.24.35:443 - ORIGINAL_DST/172.217.24.35 -* >> * >> * >> I know that i take some mistake in my squid.conf . But i can't find out >> how to fix it. Could you please show me how to improve my squid.conf . >> >> > You configured "ssl_bump none all". > > <https://wiki.squid-cache.org/Features/SslPeekAndSplice#Actions> > "do not use these with Squid-3.5 and newer" > > > Use this instead: > > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice all > > > There should be two log entries per HTTPS connection. One before peek > happens with raw-IP:port details. And a second one after peek which may > have a _server_ name (*not* domain name) if and only if the client sends > TLS SNI extension data. > > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > -- Thanks & Best Regards, -------------- Đỗ Hoàng Minh Hưng Gmail : hoangminh...@gmail.com SĐT : 01234454115
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
