[squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

Marcus Kool marcus.kool at urlfilterdb.com
Tue Aug 23 13:59:55 UTC 2016 


On 08/23/2016 12:44 AM, Alex Rousskov wrote:
> On 08/22/2016 08:14 PM, Marcus Kool wrote:
>> Thanks for your reply.
>> I will start changing the wiki page.
>> When I think I am done, I will let you know for a review.
>
> It is best to commit all your intended changes at once (if at all)
> rather than to use the public page as a scratch pad -- folks read what
> you commit.

I am aware of this and always leave a page in a consistent state.
My knowledge of Moin Syntax and the 10-minute locks forces me to
use the preview all the time and commit once in a while.

>> The fake CONNECT _is_ desired, but with FQDN, to
>
> I am not sure whether you are making a general/universal claim (as in
> "nobody needs CONNECTs without FQDN") or just documenting your
> particular use case. I assume it is the latter. Please note that the
> wiki page should focus on the general case (but may document specific
> use cases as well, of course).
>
>
>> 1) have no differences in the CONNECT information sent to
>>    the URL rewriter in normal proxy mode and in transparent
>>    intercept mode.
>
> You do not control what is being sent to the rewriter in a forward proxy
> mode. Some HTTPS clients use FQDNs, some use IP addresses.
>
>
>> 2) be able to filter.  The url rewriter cannot filter based
>>    on the IP address, it needs a FQDN/SNI.
>
> Some rewriters can.
>
>>> Note that CONNECTs should be sent both during step1 and during step2 by
>>> default.
>
>> I think I missed something.  The URL rewriter on my systems only get IP
>> addresses, never SNI/FQDN.  And never receives two CONNECTS (i.e. one
>> at step1 and one at step2).
>
> This is a bug or a missing feature [in your Squid?] IMHO.

I managed to get 2 CONNECTs to the URL rewriter by using the simplest example
from the website:
    acl step1 at_step SslBump1
    ssl_bump peek step1
    ssl_bump bump all
But the 2 CONNECTs have both an IP address.
The %ssl::>sni macro does not expand in url_rewrite_extras but
expands fine in the logformat of Squid 3.5.20.
Can we call that a bug?

>> Can I configure Squid to send a fake CONNECT during step2 ?
>
> It should be done automatically IIRC.
>
>> What is "during"?
>
> Each step starts with obtaining specific information (TCP client, SSL
> client, or SSL server) and ends with evaluating ssl_bump rules. The
> whole callout sequence happens in-between:
> http://wiki.squid-cache.org/ProgrammingGuide/Architecture?#HTTP_Request
>
> Disclaimer: This is a rough/approximate description. There may be
> exceptions or special cases in certain environments.
>
>
>> Is the CONNECT sent at the end of step2 so it can send the SNI?
>
> IIRC, it should be sent both during step1 and during step2. I believe
> there are rewriters that use SNI information in interception environments.
>
>
> HTH,
>
> Alex.
>
>
>

More information about the squid-users mailing list