[squid-users] 3.5.8 — SSL Bump questions
Amos Jeffries
squid3 at treenet.co.nz
Tue Sep 8 08:32:54 UTC 2015
On 8/09/2015 7:45 p.m., Dan Charlesworth wrote:
> This:
> 08/Sep/2015-17:41:38 11049 10.0.1.7 TCP_TUNNEL 200 12871 CONNECT api.github.com:443 api.github.com - peek Mozilla/5.0%20(Macintosh;%20Intel%20Mac%20OS%20X%2010.10;%20rv:40.0)%20Gecko/20100101%20Firefox/40.0 HIER_DIRECT/192.30.252.127 -
>
The first one is an HTTP CONNECT message sent by a user agent. Thus a
full set of HTTP message headers are available.
> Compared to this:
> 08/Sep/2015-17:04:17 13359 10.0.1.7 TCP_TUNNEL 200 13741 CONNECT 192.30.252.126:443 api.github.com - splice - ORIGINAL_DST/192.30.252.126 -
>
The second one is a fake CONNECT generated internally by Squid using
only the TCP SYN packet details (src IP:port and dst IP:port) on a port
443 intercepted connection. Thus none of the client details except
IP:port are available.
Its not related to the peek or splice actions themselves. The data is
known (or not) well before either happens.
Amos
More information about the squid-users
mailing list