[squid-dev] [PATCH] Second adaptation missing for CONNECTs

[Christos Tsantilas]

If there are not objections I will apply this patch to squid-5 branch


On 31/03/2017 04:21 μμ, Christos Tsantilas wrote:
> Hi all,
>
> Squid does not send CONNECT request to adaptation services if the
> "ssl_bump splice" rule matched at step 2. This adaptation is important
> because the CONNECT request gains SNI information during the second
> SslBump step. This is a regression bug, possibly caused by the Squid bug
> 4529 fix (trunk commits r14913 and r14914).
>
> Notes
> =====
>
> Transparent interception vs normal proxy
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   For transparent CONNECT requests, the second request sent to the
> adaptation service (and url-rewriter etc), uses the SNI name as hostname
> in request url and Host header. This is is not true for normal CONNECT
> requests.
>
> However the user still is able to gain SNI information using
> adaptation_meta. For example the following configuration line:
>
>     adaptation_meta X-SNI-Info "%ssl::>sni" all
>
> Will send the SNI info using the X-SI-Info header to the ICAP service.
>
>
> Avoid sending second CONNECT request to adaptation
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> The users may not want to send the second request to the adaptation
> services. In this case they can use acls as follows:
>
> acl step1 at_step  SslBump1
> acl step2 at_step  SslBump2
> acl markSpliced annotate_client spliced=true
>
> ssl_bump peek step1
> ssl_bump splice step2 markSpliced
>
> acl markedSpliced note spliced true
>
> adaptation_access class_reqmodifing deny markSpliced
> adaptation_access class_reqmodifing allow all
>
>
>
>
> This is a Measurement Factory project.
>
>
>
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>


-- 
Tsantilas Christos
Network and Systems Engineer
email:christos at chtsanti.net
   web:http://www.chtsanti.net
Phone:+30 6977678842