[squid-dev] Fake CONNECT requests during SSL Bump

Steve Hill steve at opendium.com
Tue Sep 22 16:32:39 UTC 2015 

Currently, Squid generates a fake CONNECT request for transparently 
proxied HTTPS, and possibly a second fake CONNECT if that connection is 
spliced.  For non-transparently proxied connections, there's a real 
CONNECT, so the first fake CONNECT isn't needed, but the second fake 
CONNECT is also suppressed.

I'm trying to extend Squid to generate an ICAP REQMOD request for each 
ssl bump step, for both transparent and non-transparent connections. 
i.e. for transparent connections the ICAP server would see something like:
CONNECT <ip>:<port> HTTP/1.1     (initial fake CONNECT)
CONNECT <sni>:<port> HTTP/1.1    (step 2: after peeking in step 1)
and for non-transparent:
CONNECT <host>:<port> HTTP/1.1 (initial real CONNECT)
CONNECT <sni>:<port> HTTP/1.1 (step 2: after peeking in step 1)

The idea is that the ICAP server can examine the request and add headers 
to tell Squid whether to peek, bump, splice, etc. at each step.  The 
alternative is to use an external ACL do to this, but that seems more 
messy.  Ideally the step 2 CONNECT would contain all of the headers from 
the real connect in the case of a non-transparent connection.

Originally, I thought I could extend fakeAConnectRequest() to handle 
non-transparent connections and use that, but it seems fraught with 
problems - e.g. I end up with a second connection to the web server, and 
generally odd behaviour which is probably the result of the SSL-bump and 
tunnelling code fighting over the same client connection.

So I'm looking for some advice on what the best way is to go about doing 
this.  Any advice would be appreciated.

Many thanks.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com

Direct contacts:
    Instant messager: xmpp:steve at opendium.com
    Email:            steve at opendium.com
    Phone:            sip:steve at opendium.com

Sales / enquiries contacts:
    Email:            sales at opendium.com
    Phone:            +44-1792-824568 / sip:sales at opendium.com

Support contacts:
    Email:            support at opendium.com
    Phone:            +44-1792-825748 / sip:support at opendium.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: steve.vcf
Type: text/x-vcard
Size: 283 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150922/09b39fbc/attachment.vcf>

More information about the squid-dev mailing list