[squid-users] peek all step with bump instance of proxy

john jacob john.kj1984 at gmail.com
Thu Aug 27 10:50:59 UTC 2015 

Hi All,

I am trying to configure a squid filtering instance which serves both proxy
and intercepted (transparent) connections. Filtering is accomplished by a
Request eCAP adapter which have something like

if(IsDenied() && RequestMethod=="CONNECT")
{
                          // Gives TAG_NONE/403 in the access log
 hostx->blockVirgin();
 return;
}

I also have a requirement to bump a particular domain and peek other https
connections for intercepted mode. So there are 3 possible
outcomes/filtering decision for any https connections hitting this server.
They are

1) Bump and allow the access
2) Non bumped and allowed access
3) Non bumped and denied access, by the code given above in eCAP adapter

My squid (tried with v3.5.6 and v3.5.7-20150823-r13895, same outcome)
config looks like below
.
.
.
#  TAG: ssl_bump
ssl_bump server-first <ip of the domain to be bumped>
ssl_bump peek all
ssl_bump splice all
.
.
.
http_port <proxy ip>:<port> ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=<path>


https_port <intercept/transparent ip>:<port> intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=<path>

Things are fine with the intercepted connections (for all the 3 scenarios).
But with the proxy connections I am encountering some peculiar behavior
with scenario 3 (ie when a non bumped https CONNECT is denied by eCAP).
Instead of terminating the connection, it is logged as TAG_NONE/200 in the
access log and getting bumped (a dynamic certificate is generated) and then
getting terminated. The behavior disappears and works if I comment the
"peek all" line.

I am not sure if this is a bug or an expected behavior.

Of course the proxy bumped connection works fine if I selectively peek for
intercepted connections (ssl_bump peek <if only in intercepted mode>), but
in this case I am getting duplicate entries in the access log file (ie 2
CONNECT log messages for each https CONNECT) for intercepted mode https
connections.The same goes for other ACL combinations like the below
resulting in duplicated log messages

ssl_bump server-first <ip of the domain to be bumped>
ssl_bump splice <only if the request hit the proxy ip:port and not the
intercept/transparent ip :port>
ssl_bump peek all
ssl_bump splice all

Regards,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150827/0dc19653/attachment.html>

More information about the squid-users mailing list