Transparent HTTPS proxy

I just started some tests, for now I can’t reproduce memory usage problems but I will keep you informed.

The main issue I found it’s that some resources are inaccessible, mostly images or scripts from CDN.
You can find these kind of lines inside /var/log/squid/cache.log:

2016/12/09 09:44:18 kid1| SECURITY ALERT: on URL: avatars0.githubusercontent.com:443
2016/12/09 09:44:18 kid1| SECURITY ALERT: Host header forgery detected on local=151.101.60.133:443 remote=192.168.5.22:40950 FD 166 flags=33 (local IP does not match any domain IP)

In this case, when accessing github, the avatars won’t be displayed by the browser, and you can fin a “Timeout error” for the not loaded images.

i guess you’re facing the same problem. Could try to verify it with this command?

grep "Host header forgery detected" /var/log/squid/cache.log

There is no real work fix for this but a couple of workaround:

  • do not use 8.8.8.8 as your external DNS (I didn’t see any difference even with other dns servers)
  • make sure all clients use the same DNS (this is effective)
  • configure all clients to explicitly use the proxy (this works great)

You can find more information here:

2 Likes