[squid-users] ALPN, HTTP/2 and sslbump
Brian Bergstrom
brian.bergstrom at sportsengine.com
Tue Jan 9 14:58:03 UTC 2018
Thanks for the input. Peeking less and splicing sooner appears to resolve
the issue I was having. Since SNI is available at step 2 after peeking at
step 1, I there was no lose in functionality. So my ssl_bump config ends
up looking like below:
ssl_bump peek step1
ssl_bump splice step2 allowed_https_sites
ssl_bump splice step2 allowed_https_ips
ssl_bump terminate step2 all
Thanks again!
On Wed, Jan 3, 2018 at 5:47 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 04/01/18 12:37, Alex Rousskov wrote:
>
>> On 01/03/2018 03:30 PM, brianbergstrom wrote:
>>
>> If I understand the docs and this thread correctly, Squid should be
>>> removing
>>> h2 from the ALPN in the Client Hello since Squid does not support it.
>>>
>>
>> Please note that Squid cannot remove something when using "peek" and
>> "splice" actions.
>>
>> I do not know whether Squid removes unsupported ALPN values when using
>> "stare" and "bump" actions, and I would not be surprised to learn that
>> Squid does not police those values at all (yet),
>>
>
> It does *unless* peeking at the server handshake: <
> https://github.com/squid-cache/squid/blob/v3.5/src/ssl/bio.cc#L1261>.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
--
*Brian Bergstrom*
SOFTWARE ENGINEER
SportsEngine | 807 Broadway St NE | Suite 300 | Minneapolis, MN 55413
SportsEngine.com <http://sportsengine.com> | twitter.com/NBCSportsEngine |
facebook.com/NBCSportsEngine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180109/f6d4e288/attachment.html>
More information about the squid-users
mailing list