[squid-users] Squid 3.5.21 ssl bump and x-forward
Amos Jeffries
squid3 at treenet.co.nz
Thu Sep 15 10:18:45 UTC 2016
On 15/09/2016 8:53 p.m., FredB wrote:
> Hello,
>
> I'm testing SSlBump and it works good, however I'm seeing something strange with two proxies and x-forwarded enabled to the first, some requests are wrote with the first proxy address.
>
> user -> squid (fowarded_for on) -> squid (follow_x_forwarded_for allow all) -> Net
>
> Here log from the second squids, on same server, (same result when there are separate 127.0.0.1 = IP FIRST SQUID)
>
> 10.x.x.x.x - myaccount [15/Sep/2016:09:40:07 +0200] "CONNECT www.google.fr:443 HTTP/1.0" 200 0 440 TAG_NONE:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
> 10.x.x.x.x - myaccount [15/Sep/2016:09:40:07 +0200] "GET http://www.google.fr/ HTTP/1.0" 302 643 1575 TCP_MISS:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
> 10.x.x.x.x - myaccount [15/Sep/2016:09:40:07 +0200] "CONNECT www.google.fr:443 HTTP/1.0" 200 0 440 TAG_NONE:HIER_NONE "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
Above are HTTP requests sent from proxy #1 to proxy #2.
> 127.0.0.1 - myaccount [15/Sep/2016:09:40:07 +0200] "POST https://www.google.fr/gen_204?atyp=i&ct=slh&cad=&ei=EVDaV-rAOcS7adLmucAF&s=3&v=2&pv=0.19272099408438004&me=4:1473925301533,e,U&zx=1473925301536 HTTP/1.1" 204 401 1571 TCP_MISS:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
> 127.0.0.1 - myaccount [15/Sep/2016:09:40:08 +0200] "GET https://www.google.fr/?gws_rd=ssl HTTP/1.1" 200 61953 1387 TCP_MISS:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
> 127.0.0.1 - myaccount [15/Sep/2016:09:40:08 +0200] "POST https://www.google.fr/gen_204?atyp=i&ct=slh&cad=&ei=EVDaV-rAOcS7adLmucAF&s=4&v=2&pv=0.19272099408438004&me=5:1473925302218,e,H&zx=1473925302220 HTTP/1.1" 204 401 1571 TCP_MISS:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
> 127.0.0.1 - myaccount [15/Sep/2016:09:40:08 +0200] "GET https://www.google.fr/complete/search?sclient=psy-ab&site=&source=hp&q=&oq=&gs_l=&pbx=1&bav=on.2,or.r_cp.&fp=1&biw=995&bih=554&dpr=1.25&pf=p&gs_rn=64&gs_ri=psy-ab&tok=yZHeL-_L5Be_JazeSm0Mtg&cp=0&gs_id=0&xhr=t&tch=1&ech=1&psi=tVDaV7_DMsXqauCygeAF.1473925302436.1 HTTP/1.1" 200 913 1618 TCP_MISS:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
> 127.0.0.1 - myaccount [15/Sep/2016:09:40:08 +0200] "GET https://www.google.fr/gen_204?v=3&s=webhp&atyp=csi&ei=tVDaV7_DMsXqauCygeAF&imc=2&imn=2&imp=0&adh=&xjs=init.26.20.sb.18.p.3.jsa.1.abd.1.foot.1&ima=0&rt=xjsls.21,prt.41,iml.41,dcl.82,xjses.124,jraids.149,jraide.153,xjsee.185,xjs.185,ol.217,aft.41,wsrt.748,cst.1,dnst.0,rqst.522,rspt.533,rqstt.161,unt.143,cstt.144,dit.816 HTTP/1.1" 204 401 1616 TCP_MISS:HIER_DIRECT "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
Above are bumped requests sent inside the tunnel. Proxy #1 did not
interact with them, so it has no way to add XFF headers.
The SSL-Bump logic does not yet store some things like indirect client
IP and associate them with the bumped requests.
Amos
More information about the squid-users
mailing list