[squid-users] Wrong req_header result in cache_peer_access when using ssl_bump
Mihai Ene
me at ub.io
Thu Jul 21 09:31:40 UTC 2016
Please excuse my persistence, but when that condition was introduced, in
[2011](
https://github.com/squid-cache/squid/commit/9d7a49fb719dcd9ec22a8d3116e888c6e93c5dbb),
it was meant to prevent forwarding unencrypted requests. You can see that
there is no check whether `cache_peer` is using ssl, in which case requests
would be encrypted, after all.
I think that condition shouldn't include `cache_peer`s with ssl.
*Mihai Ene*
Software Developer
*UB | Your universal basket*
http://ub.io
me at ub.io
@shop_ub
+44 (0)7473 804972 <+447473804972>
On Thu, Jul 21, 2016 at 6:51 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 21/07/2016 3:36 a.m., Mihai Ene wrote:
> >> Squid SHOULD be able to send SSL-bump decrypted traffic to a cache_peer
> > with 'ssl' flag set.
> >
> > But squid's source code says otherwise:
> >
> https://github.com/squid-cache/squid/blob/23f981d410009ba5aee455144d18b4178d042b34/src/FwdState.cc#L816
> >
> > Besides, I'm seeing that `debugs` output on line 819 in my logs when
> > testing with an ssl enabled cache_peer.
> >
>
> Ah, darn. Sorry. You are right. I was mistaking the originserver peer case.
>
> Amos
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160721/b46a9140/attachment-0001.html>
More information about the squid-users
mailing list