English Forums > Web Proxy Filtering and Caching

[SOLVED] get rid of host forgery detected

(1/4) > >>

ruggerio:
Hi,

i try already a long time to resolve that issue on the proxy:

SECURITY ALERT: Host header forgery detected on local=[blah-ip]:443 remote=[my-ip]:52382 FD 12 flags=33 (local IP does not match any domain IP)

i read a lot about it, it force the same ip for the dns on dhcp as i have entered in the proxy, but the problem remains. I have no further clue, how to get rid of and clean my logs.

any help is appreciated.

btw. i use dnsmasq as resolver, not unbound

neillans:
Been doing some digging, and it seems this is a "feature" that's been added to Squid to validate connections against things like NAT tables to confirm its a "safe" request.
http://www.squid-cache.org/Doc/config/host_verify_strict/


The problem is by doing the port forward for transparent proxy it breaks the check (or so it appears).

Looks like other vendors have hit this, and patched:

https://github.com/NethServer/dev/issues/5348


Any chance of OPNSense patching?
Causes  a lot of problems with SNI inspection - I really don't want to do full SSL decrypt due to having to then maintain a long no-bump list, but the SNI inspect doesn't really work because of this and intermittent failures.

franco:
Looks like this is the patch...

https://github.com/NethServer/squid/blob/c7/SOURCES/squid-3.5.20-ssl-forgery.patch

I'm willing to look at it in exchange for a ticket:

https://github.com/opnsense/ports/issues


Cheers,
Franco

neillans:
Done :) #66

franco:
Thanks, 19.1.2 should have a fix.


Cheers,
Franco

Navigation

[0] Message Index

[#] Next page

Go to full version