[squid-users] How squid sends sni to icap server?

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 4 13:47:40 UTC 2017


On 04/08/17 19:11, lucas.alvaro at laposte.net wrote:
> Hi everyone,
> I have a transparent proxy squid 3.5.26 with C-ICAP  and here are the 
> important lines:
> "
> icap_enable on
> icap_send_client_ip on
> icap_send_client_username on
> icap_client_username_header X-Authenticated-User
> icap_preview_enable on
> icap_preview_size 1024
> icap_service service_avi_req reqmod_precache icap://localhost:1344/echo 
> bypass=off
> adaptation_access service_avi_req allow all
> icap_service service_avi_resp respmod_precache 
> icap://localhost:1344/echo bypass=off
> adaptation_access service_avi_resp allow all
> 
> #url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
> 
> 
> http_port 3128
> http_port 3129 intercept
> https_port 3130 intercept ssl-bump \
> cert=/etc/squid/ssl_cert/myCA.pem \
> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
> sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB
> 
> #acl step1 at_step SslBump1
> #acl step2 at_step SslBump2
> #acl step3 at_step SslBump3
> 
> ssl_bump peek all
> ssl_bump bump all

NP: Peeking at step 2 precludes bumping.

> logformat squid %ssl::>sni

Please do not redefine the built-in format name "squid". Use a custom 
name for custom formats.


> adaptation_meta X-SNI "%ssl::>sni" all   #or connect
> #request_header_add X-SNI "%ssl::>sni" all
> "
> 
> 
> So i want to create an icap service like squidclamav but it must check 
> SNI not URLs.

Any particular reason why?
  SNI has almost nothing to do with the HTTP messages (plural). It is 
simply the name of the next-hop server (or proxy) they should be 
delivered to on their way around the web.

I thought squidclamav was an antivirus, not a URL blocklist checker.


> 
> I peek all the steps to get sni and in the squid access log, sni is 
> printed .
> I read that adaptation_meta can send anything from squid to icap but 
> clearly i use it incorretly: i can't see sni on icap access log or in 
> icap headers.

Your usage appears to be correct. I think there is no SNI being received 
by Squid.


> Does adaptation_meta create a icap headers ?

It does.

> Or should i use 
> add_request_headers?

No, that would add HTTP headers to the outgoing messages (to server or 
to client).

> 
> I know that squid can create a 2nd fake connect with sni but here again 
> icap just print the same connect 2 times
> 

That is correct, however SNI is not always sent by clients. Squid can 
only use what it is given.

If there is an SNI in that particular clientHello you have hit a bug in 
Squid.

Amos


More information about the squid-users mailing list