SQUID PROBLEM WITH SITES THAT HAVE MORE THAN ONE IP ADDRESSES

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SQUID PROBLEM WITH SITES THAT HAVE MORE THAN ONE IP ADDRESSES

leomessi983
HI
COULD YOU PLEASE HELP ME?
IN INTERCEPTED TOPOLOGY WITH TPROXY I HAVE PROBLEM.

WHAT IS SQUID SOLUTION FOR SITES THAT HAVE MORE THAN ONE IP ADDRESSES? FOR EXAMPLE SITE LIKE GOOGLE.COM RETURN DIFFERENT IP ADDRESS IN EVERY REQUEST AND IF CLIENT GET IP ADDRESS FOR EXAMPLE 1.1.1.1 THAT IS POSSIBLE THAT SQUID GET 2.2.2.2 FOR GOOGLE AND SQUID CAN NOT WORK PROBABLE AND SHOW FORGERY DETECTED ERROR.

IS THERE ANY WAY TO IGNORE THIS OR USE ONLY ONE DNS SERVER OR PREVENT SQUID OR CLIENT TO NOT RESOLVE URLS?

I use same DNS-Server on my clients and my squid server.
Is there any configuration directive in squid to does not resolve requested URLs from client or use their resolved IP addresses?

I use this configuration:

acl acl1 clientside_mark *****
tcp_outgoing_mark ***** acl1
acl https1 ssl::server_name "/Files/blklist"
ssl_bump bump https1 acl1
acl url1 dstdomain "/Files/blklist"
acl Regex1 url_regex "/Files/Reglist"
http_access deny Regex1 acl1
http_access deny url1 acl1


#Http configurations
http_access allow all
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy disable-pmtu-discovery=transparent


#Https configurations
reply_header_access Strict-Transport-Security deny all
https_port 3130 tproxy ssl-bump \
        tls-cert=/conf/cert.cer \
        tls-key=/conf/cert.key \
        generate-host-certificates=on dynamic_cert_mem_cache_size=20MB disable-pmtu-discovery=transparent
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB
sslcrtd_children 10 startup=5 idle=1
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all

I got this error messeges:

May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.28.38:52346 FD 524 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.28.38:52347 FD 508 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.31.31:51567 FD 508 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: Host header forgery detected on local=157.240.20.52:443 remote=172.30.31.31:51568 FD 508 flags=17 (local IP does not match any domain IP)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| SECURITY ALERT: on URL: web.whatsapp.com:443
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 523: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 518: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 502: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 509: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 527: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 526: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: Host header forgery detected on local=17.57.12.11:443 remote=172.30.14.50:11985 FD 510 flags=17 (local IP does not match any domain IP)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: on URL: gsp64-ssl.ls.apple.com:443
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: Host header forgery detected on local=17.57.12.11:443 remote=172.30.14.50:11986 FD 510 flags=17 (local IP does not match any domain IP)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: on URL: gsp64-ssl.ls.apple.com:443
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: Host header forgery detected on local=17.57.12.11:443 remote=172.30.14.50:12069 FD 510 flags=17 (local IP does not match any domain IP)
May 10 12:47:55 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:55| SECURITY ALERT: on URL: gsp64-ssl.ls.apple.com:443
May 10 12:47:56 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:56| SECURITY ALERT: Host header forgery detected on local=193.23.244.244:443 remote=217.11.23.195:59994 FD 534 flags=17 (local IP does not match any domain IP)
May 10 12:47:56 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:56| SECURITY ALERT: on URL: www.h7ftf4spvav27.com:443
May 10 12:47:57 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:57| ERROR: negotiating TLS on FD 523: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
May 10 12:47:57 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:57| Error negotiating SSL connection on FD 260: error:00000001:lib(0):func(0):reason(1) (1/0)
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Preparing for shutdown after 1786 requests
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Waiting 5 seconds for active connections to finish
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Closing HTTP(S) port 0.0.0.0:3128
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Closing HTTP(S) port 0.0.0.0:3129
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Closing HTTP(S) port 0.0.0.0:3130
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| WARNING: /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB #Hlpr3 exited
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Too few /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB processes are running (need 1/10)
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Starting new helpers
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| helperOpenServers: Starting 1/10 'security_file_certgen' processes
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| WARNING: /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB #Hlpr4 exited
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Too few /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB processes are running (need 1/10)
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| storeDirWriteCleanLogs: Starting...
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58|   Finished.  Wrote 0 entries.
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58|   Took 0.00 seconds (  0.00 entries/sec).
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| FATAL: The /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB helpers are crashing too rapidly, need help!
May 10 12:47:58 squid[] [user:alert:09]: FATAL: The /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 20MB helpers are crashing too rapidly, need help!
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Squid Cache (Version 4.7): Terminated abnormally.
May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Removing PID file (/var/run/squid.pid)


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: SQUID PROBLEM WITH SITES THAT HAVE MORE THAN ONE IP ADDRESSES

Amos Jeffries
Administrator
On 11/05/20 8:57 pm, [hidden email] wrote:
> HI
> COULD YOU PLEASE HELP ME?

Please don't yell.

> IN INTERCEPTED TOPOLOGY WITH TPROXY I HAVE PROBLEM.
>
> WHAT IS SQUID SOLUTION FOR SITES THAT HAVE MORE THAN ONE IP ADDRESSES?
> FOR EXAMPLE SITE LIKE GOOGLE.COM RETURN DIFFERENT IP ADDRESS IN EVERY
> REQUEST AND IF CLIENT GET IP ADDRESS FOR EXAMPLE 1.1.1.1 THAT IS
> POSSIBLE THAT SQUID GET 2.2.2.2 FOR GOOGLE AND SQUID CAN NOT WORK
> PROBABLE AND SHOW FORGERY DETECTED ERROR.
>

Squid will still serve requests with Host header forgery issues. All
that will happen is Squid will not cache the response - so no other
clients get corrupted.


> IS THERE ANY WAY TO IGNORE THIS OR USE ONLY ONE DNS SERVER OR PREVENT
> SQUID OR CLIENT TO NOT RESOLVE URLS?


see <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery>

Amos

>
> I use same DNS-Server on my clients and my squid server.
>
> Is there any configuration directive in squid to does not resolve requested URLs from client or use their resolved IP addresses?
>
>
> I use this configuration:
>
> acl acl1 clientside_mark *****
> tcp_outgoing_mark ***** acl1
> acl https1 ssl::server_name "/Files/blklist"
> ssl_bump bump https1 acl1
> acl url1 dstdomain "/Files/blklist"
> acl Regex1 url_regex "/Files/Reglist"
> http_access deny Regex1 acl1
> http_access deny url1 acl1
>
>
> #Http configurations
> http_access allow all

Do not do that.


> http_port 0.0.0.0:3128
> http_port 0.0.0.0:3129 tproxy disable-pmtu-discovery=transparent
>
>
> #Https configurations
> reply_header_access Strict-Transport-Security deny all
> https_port 3130 tproxy ssl-bump \
>         tls-cert=/conf/cert.cer \
>         tls-key=/conf/cert.key \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=20MB
> disable-pmtu-discovery=transparent
> sslcrtd_program /usr/lib64/squid/security_file_certgen -s
> /var/lib/ssl_db -M 20MB
> sslcrtd_children 10 startup=5 idle=1
> acl step1 at_step SslBump1
> ssl_bump peek step1
> ssl_bump splice all
>
> I got this error messeges:
>
...
> May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| ERROR: negotiating TLS on FD 523: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (1/-1/0)
> May 10 12:47:54 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:54| Error negotiating SSL connection on FD 518: error:00000001:lib(0):func(0):reason(1) (1/0)

So TLS is not working. This is your worst problem.

> May 10 12:47:58 squid[23231] [daemon:info:1e]: 2020/05/10 12:47:58| Squid Cache (Version 4.7): Terminated abnormally.

Please upgrade. Current v4 is 4.11.

You may want to consider upgrade to the latest v5 release for better
SSL-Bump behaviour.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users