[squid-users] SSL termination problem - squid's requests using https

Alex Rousskov rousskov at measurement-factory.com
Tue Sep 17 22:22:44 UTC 2019


On 9/17/19 5:02 PM, Sam Holden wrote:

> When I have protocol=http is reports:
> 2019/09/17 20:08:55| Accepting reverse-proxy HTTP Socket connections

> When I don't set the protocol is reports:
> 2019/09/17 20:17:38| Accepting reverse-proxy HTTPS Socket connections

> So it seems to be following the protocol= for the incoming protocol
> rather than just the outgoing.

Agreed. That (still) looks like a bug to me. [PROXY protocol prefix
aside], an https_port ought to expect TLS traffic, regardless of any
port tuning options, including the poorly named "protocol" option.

FWIW, I tried to quickly figure out what is really going on in the code,
but ran out of time -- configuration parsing code does appear to
overwrite the data member used as the incoming protocol of a listening
port which makes no sense to me and contradicts documentation, but I am
probably missing something in this mess. Hopefully, somebody else can
help you triage this further.

Alex.


>> What happens when you connect to the above https_port using a TLS
>> connection?
> 
> When I have the protocol=http I get (443 is being mapped to 4277 elsewhere):
> 
> $  wget https://127.0.0.1:4277/ --no-check-certificate
> --2019-09-17 20:53:04--  https://127.0.0.1:4277/
> Connecting to 127.0.0.1:443... connected.
> GnuTLS: An unexpected TLS packet was received.
> Unable to establish SSL connection.
> $  wget  http://127.0.0.1:4277/
> --2019-09-17 20:54:17--  http://127.0.0.1:4277/
> Connecting to 127.0.0.1:443... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 61979 (61K) [text/html]



More information about the squid-users mailing list