[squid-users] Reverse proxy for HTTPS cloudfront server

Craig Gowing craig.gowing at appliansys.com
Tue Feb 14 10:51:43 UTC 2017

>From what I can tell the SNI is not added for cache peers. In
Ssl::PeerConnector::initializeSsl if "peer" is set then the call to
Ssl::setClientSNI is skipped. Also the SSL context doesn't have the hostname
or a callback set, and sslCreateClientContext doesn't appear to be able to
set it either.

I've tested with a quick patch which appears to the fix the issue: (however
I feel it should take into account the forcedomain option as well)

diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index f5d4c81..178c685 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -133,6 +133,7 @@ Ssl::PeerConnector::initializeSsl()
     if (peer) {
         SBuf *host = new SBuf(peer->ssldomain ? peer->ssldomain :
         SSL_set_ex_data(ssl, ssl_ex_index_server, host);
+        Ssl::setClientSNI(ssl, host->c_str());
         if (peer->sslSession)
             SSL_set_session(ssl, peer->sslSession);

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Reverse-proxy-for-HTTPS-cloudfront-server-tp4681533p4681542.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list