Description
When using Squid in transparent SSL mode, users may experience problems during navigation.
Many sites often hosted on CDN (facebook, twitter, amazon) can't be correctly rendered and the whole web navigation is much slower.
The problem comes from the implementation of same-origin policy (http://www.squid-cache.org/Advisories/SQUID-2011_1.txt) which blocks sites wrongly considered forged.
The option can't be disabled, see:
- http://www.squid-cache.org/Versions/v3/3.5/cfgman/host_verify_strict.html
- http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
Content of /var/log/squid/cache.log:
2017/03/09 10:48:29 kid1| SECURITY ALERT: Host header forgery detected on local=65.55.138.149:443 remote=192.168.0.128:58436 FD 13 flags=33 (local IP does not match any domain IP)
2017/03/09 10:48:29 kid1| SECURITY ALERT: Host header forgery detected on local=23.1.71.224:443 remote=192.168.0.100:60138 FD 17 flags=33 (local IP does not match any domain IP)
The actual workaround is shipping a patched version of Squid.
Original sources: https://git.centos.org/git/rpms/squid.git
NethServer patch: https://github.com/NethServer/squid/blob/c7/SOURCES/squid-3.5.20-ssl-forgery.patch
Thanks to @filippocarletti
Activity