English Forums > Web Proxy Filtering and Caching
[SOLVED] get rid of host forgery detected
ruggerio:
Hi,
i try already a long time to resolve that issue on the proxy:
SECURITY ALERT: Host header forgery detected on local=[blah-ip]:443 remote=[my-ip]:52382 FD 12 flags=33 (local IP does not match any domain IP)
i read a lot about it, it force the same ip for the dns on dhcp as i have entered in the proxy, but the problem remains. I have no further clue, how to get rid of and clean my logs.
any help is appreciated.
btw. i use dnsmasq as resolver, not unbound
neillans:
Been doing some digging, and it seems this is a "feature" that's been added to Squid to validate connections against things like NAT tables to confirm its a "safe" request.
http://www.squid-cache.org/Doc/config/host_verify_strict/
The problem is by doing the port forward for transparent proxy it breaks the check (or so it appears).
Looks like other vendors have hit this, and patched:
https://github.com/NethServer/dev/issues/5348
Any chance of OPNSense patching?
Causes a lot of problems with SNI inspection - I really don't want to do full SSL decrypt due to having to then maintain a long no-bump list, but the SNI inspect doesn't really work because of this and intermittent failures.
franco:
Looks like this is the patch...
https://github.com/NethServer/squid/blob/c7/SOURCES/squid-3.5.20-ssl-forgery.patch
I'm willing to look at it in exchange for a ticket:
https://github.com/opnsense/ports/issues
Cheers,
Franco
neillans:
Done :) #66
franco:
Thanks, 19.1.2 should have a fix.
Cheers,
Franco
Navigation
[0] Message Index
[#] Next page
Go to full version