Re: [squid-users] yahoo mail problem with tproxy (squid 3.1.19, kernel 3.2.21) from Ming-Ching Tiew on 2012-07-24 (squid-users)

From: Ming-Ching Tiew <mctiew_at_yahoo.com>
Date: Tue, 24 Jul 2012 02:25:44 -0700 (PDT)

----- Original Message -----
From: Amos Jeffries <squid3_at_treenet.co.nz>
To: squid-users_at_squid-cache.org

> The HTTP Host: header contains a domain name which does not match the IP address the TCP connection is being

> made to. http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery covers the problem in some detail. For your

> case in particular I suspect the DNS situations need to be checked.

> 219.93.13.235 found by the client is not one of the IPs belonging to us.mg6.mail.yahoo.com which DNS is supplying
> to Squid. On the "big name" websites this is usually caused by Geo-DNS resolution problems rather than client infection.
> But there is no way for Squid to be sure. The only option is for Squid to open a TCP connection directly to that IP

> and hope for the best, or if direct connections are blocked the unable to connect comes up.
>
> NOTE: if you are using cache_peer you can currently only send them requests where the Host header validates as okay,
> or were received as regular forward-proxy / reverse-proxy traffic. (I'm working on that one as I type, but the fix is a few
> days/weeks away).
>
> If you are *not* using cache_peer then you have TCP connectivity problems that need fixing.
>
> You can run 3.1 series for now, or that older beta (ideally not, but if you *really* have to its okay for now). There

> are tweaks and improvements around this right up to the squid-3.2.0.18-20120724-r11624

> <http://master.squid-cache.org/Versions/v3/3.2/RELEASENOTES.html> snapshot with more coming. With

> probably some of the network environment situations mentioned in the wiki needing to be fixed as well.
>
> Amos

As it seems the header forgery is likely a sidetrack issue due to me using different
name servers in squid machine and test client machine. After I synchronized the name

server to be the same, that message does not appear anymore. But still my problem

of unable to logon to yahoo mail in tproxy mode using squid-3.2.0.14 is still there
( logon using intercepting mode is ok ), whereas when using squid-3.2.0.12 and

3.2.0.13, I could logon to yahoo mail.

Therefore the "significant" changes in squid-3.2.0.14 might throw some lights as to
why I could not logon on to yahoo mail in tproxy mode.
Received on Tue Jul 24 2012 - 09:25:54 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 24 2012 - 12:00:02 MDT