[squid-dev] FW: [squid-users] Reverse proxy for HTTPS cloudfront server

Eliezer Croitoru eliezer at ngtech.co.il
Tue Feb 14 22:57:24 UTC 2017

Forwarding the subject to the squid development list.

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Craig Gowing
Sent: Tuesday, February 14, 2017 12:52 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Reverse proxy for HTTPS cloudfront server

>From what I can tell the SNI is not added for cache peers. In
Ssl::PeerConnector::initializeSsl if "peer" is set then the call to
Ssl::setClientSNI is skipped. Also the SSL context doesn't have the hostname
or a callback set, and sslCreateClientContext doesn't appear to be able to
set it either.

I've tested with a quick patch which appears to the fix the issue: (however
I feel it should take into account the forcedomain option as well)

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index f5d4c81..178c685 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -133,6 +133,7 @@ Ssl::PeerConnector::initializeSsl()
     if (peer) {
         SBuf *host = new SBuf(peer->ssldomain ? peer->ssldomain :
         SSL_set_ex_data(ssl, ssl_ex_index_server, host);
+        Ssl::setClientSNI(ssl, host->c_str());
         if (peer->sslSession)
             SSL_set_session(ssl, peer->sslSession);

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Reverse-proxy-for-HTTPS-cloudfront-server-tp4681533p4681542.html
Sent from the Squid - Users mailing list archive at Nabble.com.
squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-dev mailing list