Topic: Server and gateway, HTTP Proxy on, some sites report unknown CA

[pmulroney]

Hi Everyone,
I've just upgraded from SME 9.x to SME 10 using the migration helper.  A few snags along the way, mainly due to old templates causing issues.  I think we're mostly up and running, but I hit a very strange issue accessing the outside world.

Some sites, like our internet banking, dilbert.com, Disney+ on our apple TV say that they can't connect.  In the browser when you go to these sites, it says that the certificate was signed by an unknown authority.  One site is our own - www.logicaldevelopments.com.au, which is signed by R3 Let's Encrypt.

I turned off HTTP Proxy, restarted server and workstation, and then the same sites all worked correctly.

It seems that somehow it can't verify the certificate chain or something. 

I've installed a few servers over the years, configured SME, installed a bunch of contribs, but I'm at a loss as to how to troubleshoot this one.  Any help much appreciated!

Regards,
Paul.

[Raphaël]

Same type of error.
For example, access to the sme download page works (https://wiki.koozali.org/SME_Server:Download/fr) but when I click on the download link of sme10 does not work

[TerryF]

I'll try that again

That is the french page, the english only has sme10

Something not right with the fr page

[TerryF]

This is the link I see...looks right ??

http://mirror.pialasse.com/releases/10/iso/x86_64/smeserver-10.0-x86_64.iso

[Raphaël]

This is the link I see...looks right ??

http://mirror.pialasse.com/releases/10/iso/x86_64/smeserver-10.0-x86_64.iso

yes.
The link is working when the http proxy is desactivated on the smeserver, and not working when the http proxy is activated

[Stefano]

yes.
The link is working when the http proxy is desactivated on the smeserver, and not working when the http proxy is activated

is there anything interesting in squid's logs?

[bunkobugsy]

Same type of error.
For example, access to the sme download page works (https://wiki.koozali.org/SME_Server:Download/fr) but when I click on the download link of sme10 does not work

This is the link I see...looks right ??

http://mirror.pialasse.com/releases/10/iso/x86_64/smeserver-10.0-x86_64.iso

Neh, this is just latest Google Chrome blocking unsecure links on secure pages. Open link in new tab/window works.

Wiki should be updated.  https://www.chromestatus.com/feature/5691978677223424

[TerryF]

Neh, this is just latest Google Chrome blocking unsecure links on secure pages. Open link in new tab/window works.

Wiki should be updated.  https://www.chromestatus.com/feature/5691978677223424

Nice pickup...

[pmulroney]

is there anything interesting in squid's logs?

Here's the end of the log, about the time that we first had issues accessing the sites:

2021/07/03 19:47:02| Current Directory is /
2021/07/03 19:47:02 kid1| Preparing for shutdown after 0 requests
2021/07/03 19:47:02 kid1| Waiting 30 seconds for active connections to finish
2021/07/03 19:47:02 kid1| Closing HTTP port 192.168.86.100:3128
2021/07/03 19:47:02 kid1| Closing HTTP port 127.0.0.1:3128
2021/07/03 19:47:02 kid1| Closing HTTP port 192.168.86.100:8080
2021/07/03 19:47:02 kid1| Closing HTTP port 127.0.0.1:8080
2021/07/03 19:47:02 kid1| Current Directory is /
2021/07/03 19:47:02 kid1| Starting Squid Cache version 3.5.20 for x86_64-redhat-linux-gnu...
2021/07/03 19:47:02 kid1| Service Name: squid
2021/07/03 19:47:02 kid1| Process ID 5784
2021/07/03 19:47:02 kid1| Process Roles: worker
2021/07/03 19:47:02 kid1| With 4096 file descriptors available
2021/07/03 19:47:02 kid1| Initializing IP Cache...
2021/07/03 19:47:02 kid1| DNS Socket created at 0.0.0.0, FD 6
2021/07/03 19:47:02 kid1| Adding domain logicaldevelopments.com.au from /etc/resolv.conf
2021/07/03 19:47:02 kid1| Adding nameserver 192.168.86.100 from /etc/resolv.conf
2021/07/03 19:47:02 kid1| Logfile: opening log /var/log/squid/access.log
2021/07/03 19:47:02 kid1| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log'
2021/07/03 19:47:02 kid1| Unlinkd pipe opened on FD 12
2021/07/03 19:47:02 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2021/07/03 19:47:02 kid1| Store logging disabled
2021/07/03 19:47:02 kid1| Swap maxSize 102400 + 262144 KB, estimated 121514 objects
2021/07/03 19:47:02 kid1| Target number of buckets: 6075
2021/07/03 19:47:02 kid1| Using 8192 Store buckets
2021/07/03 19:47:02 kid1| Max Mem  size: 262144 KB
2021/07/03 19:47:02 kid1| Max Swap size: 102400 KB
2021/07/03 19:47:02 kid1| Rebuilding storage in /var/spool/squid (dirty log)
2021/07/03 19:47:02 kid1| Using Least Load store dir selection
2021/07/03 19:47:02 kid1| Current Directory is /
2021/07/03 19:47:03 kid1| Finished loading MIME types and icons.
2021/07/03 19:47:03 kid1| HTCP Disabled.
2021/07/03 19:47:03 kid1| Squid plugin modules loaded: 0
2021/07/03 19:47:03 kid1| Adaptation support is off.
2021/07/03 19:47:03 kid1| Accepting HTTP Socket connections at local=192.168.86.100:3128 remote=[::] FD 15 flags=9
2021/07/03 19:47:03 kid1| Accepting HTTP Socket connections at local=127.0.0.1:3128 remote=[::] FD 16 flags=9
2021/07/03 19:47:03 kid1| Accepting NAT intercepted HTTP Socket connections at local=192.168.86.100:8080 remote=[::] FD 17 flags=41
2021/07/03 19:47:03 kid1| Accepting NAT intercepted HTTP Socket connections at local=127.0.0.1:8080 remote=[::] FD 18 flags=41
2021/07/03 19:47:03 kid1| Done reading /var/spool/squid swaplog (0 entries)
2021/07/03 19:47:03 kid1| Store rebuilding is 0.00% complete
2021/07/03 19:47:03 kid1| Finished rebuilding storage from disk.
2021/07/03 19:47:03 kid1|         0 Entries scanned
2021/07/03 19:47:03 kid1|         0 Invalid entries.
2021/07/03 19:47:03 kid1|         0 With invalid flags.
2021/07/03 19:47:03 kid1|         0 Objects loaded.
2021/07/03 19:47:03 kid1|         0 Objects expired.
2021/07/03 19:47:03 kid1|         0 Objects cancelled.
2021/07/03 19:47:03 kid1|         0 Duplicate URLs purged.
2021/07/03 19:47:03 kid1|         0 Swapfile clashes avoided.
2021/07/03 19:47:03 kid1|   Took 0.12 seconds (  0.00 objects/sec).
2021/07/03 19:47:03 kid1| Beginning Validation Procedure
2021/07/03 19:47:03 kid1|   Completed Validation Procedure
2021/07/03 19:47:03 kid1|   Validated 0 Entries
2021/07/03 19:47:03 kid1|   store_swap_size = 0.00 KB
2021/07/03 19:47:03 kid1| storeLateRelease: released 0 objects
2021/07/03 22:40:52 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.208:80 remote=192.168.86.164:50067 FD 22 flags=33 (intercepted port does not match 443)
2021/07/03 22:40:52 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/03 22:40:52 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/03 22:40:52 kid1| abandoning local=17.253.75.208:80 remote=192.168.86.164:50067 FD 22 flags=33
2021/07/03 23:11:31 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.207:80 remote=192.168.86.164:50072 FD 14 flags=33 (intercepted port does not match 443)
2021/07/03 23:11:31 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/03 23:11:31 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/03 23:11:31 kid1| abandoning local=17.253.75.207:80 remote=192.168.86.164:50072 FD 14 flags=33
2021/07/03 23:41:23 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.207:80 remote=192.168.86.164:50084 FD 30 flags=33 (intercepted port does not match 443)
2021/07/03 23:41:23 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/03 23:41:23 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/03 23:41:23 kid1| abandoning local=17.253.75.207:80 remote=192.168.86.164:50084 FD 30 flags=33
2021/07/04 00:10:58 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.67.207:80 remote=192.168.86.164:50093 FD 21 flags=33 (intercepted port does not match 443)
2021/07/04 00:10:58 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/04 00:10:58 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/04 00:10:58 kid1| abandoning local=17.253.67.207:80 remote=192.168.86.164:50093 FD 21 flags=33
2021/07/04 00:41:09 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.207:80 remote=192.168.86.164:50101 FD 25 flags=33 (intercepted port does not match 443)
2021/07/04 00:41:09 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/04 00:41:09 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/04 00:41:09 kid1| abandoning local=17.253.75.207:80 remote=192.168.86.164:50101 FD 25 flags=33
2021/07/04 01:10:59 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.207:80 remote=192.168.86.164:50107 FD 11 flags=33 (intercepted port does not match 443)
2021/07/04 01:10:59 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/04 01:10:59 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/04 01:10:59 kid1| abandoning local=17.253.75.207:80 remote=192.168.86.164:50107 FD 11 flags=33
2021/07/04 01:41:15 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.67.208:80 remote=192.168.86.164:50115 FD 32 flags=33 (intercepted port does not match 443)
2021/07/04 01:41:15 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/04 01:41:15 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/04 01:41:15 kid1| abandoning local=17.253.67.208:80 remote=192.168.86.164:50115 FD 32 flags=33
2021/07/04 02:11:34 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.208:80 remote=192.168.86.164:50129 FD 24 flags=33 (intercepted port does not match 443)
2021/07/04 02:11:34 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/04 02:11:34 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/04 02:11:34 kid1| abandoning local=17.253.75.208:80 remote=192.168.86.164:50129 FD 24 flags=33
2021/07/04 02:41:34 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.208:80 remote=192.168.86.164:50137 FD 28 flags=33 (intercepted port does not match 443)
2021/07/04 02:41:34 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/04 02:41:34 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/04 02:41:34 kid1| abandoning local=17.253.75.208:80 remote=192.168.86.164:50137 FD 28 flags=33
2021/07/04 03:11:39 kid1| SECURITY ALERT: Host header forgery detected on local=17.253.75.208:80 remote=192.168.86.164:50155 FD 26 flags=33 (intercepted port does not match 443)
2021/07/04 03:11:39 kid1| SECURITY ALERT: By user agent: SafariSafeBrowsing/16611.2.7.0.4 CFNetwork/1240.0.4 Darwin/20.5.0
2021/07/04 03:11:39 kid1| SECURITY ALERT: on URL: proxy-safebrowsing.googleapis.com:443
2021/07/04 03:11:39 kid1| abandoning local=17.253.75.208:80 remote=192.168.86.164:50155 FD 26 flags=33