[squid-users] Wrong req_header result in cache_peer_access when using ssl_bump
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 15 19:18:36 UTC 2016
On 07/15/2016 12:11 PM, Mihai Ene wrote:
> I have a working ssl_bump
> configuration when using direct connections. However, cache_peer and
> cache_peer_access have req_header rules which aren't followed in bumped
> connections.
If Squid has access to [fake or real] request headers, they should be
available to ACLs.
> In logs, immediately after bumping, I see attempts to read X-My-Header
> during cache_peer_access rules, and the header appears to always be
> empty and ACLs always evaluate to 0, although the same logs show the
> correct, expected X-My-Header later on, when forwarding the request.
I can think of two possibilities:
1. When debugging, you are looking at CONNECT transactions (rather than
HTTP requests inside bumped CONNECT tunnels) _and_ your CONNECT
transactions do not have X-My-Header.
2. It is a bug you should report.
If there is an X-My-Header in CONNECT transactions that your Squid
receives, see #2. Otherwise, see #1. You can use wireshark or Squid
ALL,2 debugging to see CONNECT headers that Squid receives.
The above assumes you are not intercepting SSL connections and are not
dynamically adding X-My-Header to the received requests.
HTH,
Alex.
More information about the squid-users
mailing list