[squid-dev] [PATCH] Splice to origin cache_peer

[Tsantilas Christos]

Currently, Squid cannot redirect intercepted connections that are 
subject to SslBump rules to _originserver_ cache_peer. For example, 
consider Squid that enforces "safe search" by redirecting clients to 
forcesafesearch.example.com. Consider a TLS client that tries to connect 
to www.example.com. Squid needs to send that client to 
forcesafesearch.example.com (without changing the host header and SNI 
information; those would still point to www.example.com for safe search 
to work as intended!).

The admin may configure Squid to send intercepted clients to an 
originserver cache_peer with the forcesafesearch.example.com address. 
Such a configuration does not currently work together with ssl_bump 
peek/splice rules.

This patch:

* Fixes src/neighbors.cc bug which prevented CONNECT requests from going 
to originserver cache peers. This bug affects both true CONNECT requests 
and intercepted SSL/TLS connections (with fake CONNECT requests). Squid 
use the CachePeer::in_addr.port which is not meant to be used for the 
HTTP port, apparently. HTTP checks should use CachePeer::http_port instead.

* Changes Squid to not initiate SSL/TLS connection to cache_peer for 
true CONNECT requests.

* Allows forwarding being-peeked (or stared) at connections to 
originserver cache_peers.


This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: splice-to-cache-peer-trunk-t6.patch
Type: text/x-patch
Size: 7530 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150623/bdc670f3/attachment.bin>