OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: FCM on November 03, 2017, 03:37:25 pm
-
Hello again :)
So, one of my last problem is the fact that when people go to blacklisted httpS websites, the page is blocked but they get no message. (work well in HTTP)
Instead they get a failure to the connected page, with an error code SSL_ERROR_RX_RECORD_TOO_LONG...
I am using the "Enable SSL inspection" because our director doesn't want the man in a middle operative mode, nor the certificate obligation...
So, the proxy do the job by blacklisting websites but people will not know why the page is not showed: they will blame our service where they should blame their behaviour...
Logs return this message :
kid1| SECURITY ALERT: Host header forgery detected on local=52.178.178.16:443 remote=192.168.4.10:55420 FD 36 flags=33 (local IP does not match any domain IP)
thanks in advance if someone has a clue.
:)
-
This is a DNS issue. Squid has this Warning / Error if the destination IP and the name squid will resolve (DNS) don't match.
-
thanks for the information
I presume that's the cityhall stormshield firewall which has its own DNS that mess everything... I will see what happens on the production site :)
-
Hello
I thought that putting only FAI DNS in general settings will resolve the problem but it didn't.
And I have the same problem on google.fr/google.com sites, none accessible with the same error message :(
So I will have to find something because gmail users want my head...
So general settings : FAI dns, resolv.conf same, fai router the same... what did I missed ?
thanks