[squid-dev] [PATCH] Second adaptation missing for CONNECTs
christos at chtsanti.net
Fri Mar 31 13:21:13 UTC 2017
Squid does not send CONNECT request to adaptation services if the
"ssl_bump splice" rule matched at step 2. This adaptation is important
because the CONNECT request gains SNI information during the second
SslBump step. This is a regression bug, possibly caused by the Squid bug
4529 fix (trunk commits r14913 and r14914).
Transparent interception vs normal proxy
For transparent CONNECT requests, the second request sent to the
adaptation service (and url-rewriter etc), uses the SNI name as hostname
in request url and Host header. This is is not true for normal CONNECT
However the user still is able to gain SNI information using
adaptation_meta. For example the following configuration line:
adaptation_meta X-SNI-Info "%ssl::>sni" all
Will send the SNI info using the X-SI-Info header to the ICAP service.
Avoid sending second CONNECT request to adaptation
The users may not want to send the second request to the adaptation
services. In this case they can use acls as follows:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl markSpliced annotate_client spliced=true
ssl_bump peek step1
ssl_bump splice step2 markSpliced
acl markedSpliced note spliced true
adaptation_access class_reqmodifing deny markSpliced
adaptation_access class_reqmodifing allow all
This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7193 bytes
Desc: not available
More information about the squid-dev