On 12/05/20 1:01 am, Matus UHLAR - fantomas wrote:
> we have intercepting squid on one router and these messages started appear
> 2020/05/11 13:41:23 kid1| SECURITY ALERT: Host header forgery detected
> on local=[XXX]:80 remote=192.168.1.224:1040 FD 69 flags=33 (intercepted
> port does not match 443)
> 2020/05/11 13:41:23 kid1| SECURITY ALERT: By user agent: Microsoft BITS/6.7
> 2020/05/11 13:41:23 kid1| SECURITY ALERT: on URL: armmf.adobe.com:443
> 2020/05/11 13:41:23 kid1| kick abandoning local=[XXX]:80
> remote=192.168.1.224:1040 FD 69 flags=33
> I am aware of possible interception issues but what exactly does this
> message mean? The original destination port is 80, why does squid complain
> about it not being port 443?
The HTTP Host header says the client was connecting to a server on port
443. Yet the TCP packets came, as you say from port 80.