[squid-dev] [PATCH] Second adaptation missing for CONNECTs

[Christos Tsantilas]

Hi all,

Squid does not send CONNECT request to adaptation services if the 
"ssl_bump splice" rule matched at step 2. This adaptation is important 
because the CONNECT request gains SNI information during the second 
SslBump step. This is a regression bug, possibly caused by the Squid bug 
4529 fix (trunk commits r14913 and r14914).

Notes
=====

Transparent interception vs normal proxy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   For transparent CONNECT requests, the second request sent to the 
adaptation service (and url-rewriter etc), uses the SNI name as hostname 
in request url and Host header. This is is not true for normal CONNECT 
requests.

However the user still is able to gain SNI information using 
adaptation_meta. For example the following configuration line:

     adaptation_meta X-SNI-Info "%ssl::>sni" all

Will send the SNI info using the X-SI-Info header to the ICAP service.


Avoid sending second CONNECT request to adaptation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The users may not want to send the second request to the adaptation 
services. In this case they can use acls as follows:

acl step1 at_step  SslBump1
acl step2 at_step  SslBump2
acl markSpliced annotate_client spliced=true

ssl_bump peek step1
ssl_bump splice step2 markSpliced

acl markedSpliced note spliced true

adaptation_access class_reqmodifing deny markSpliced
adaptation_access class_reqmodifing allow all




This is a Measurement Factory project.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-289-Second-adaptation-missing-for-CONNECTS-t4.patch
Type: text/x-patch
Size: 7193 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170331/179ec299/attachment.bin>