[squid-users] Squid sends 2 replies after peek/splice when using an user-agent http_access rule

Gaƫl Ranaivo granaivo at olfeo.com
Wed Sep 25 17:27:43 UTC 2019


Here is a minimal squid config that demonstrates this weird issue:

   http_port 3128 ssl-bump tls-cert=/tmp/cert.pem tls-key=/tmp/key.pem

   acl regua browser .*Firefox.*
   http_access allow regua
   http_access deny all

   acl step1 at_step SslBump1
   acl step2 at_step SslBump2
   acl youtube dstdomain .youtube.com

   ssl_bump peek step1
   ssl_bump splice step2 youtube
   ssl_bump bump step2 all

With this config and using Firefox to go to https://youtube.com/,
squid replies to the CONNECT with 2 different replies, causing
an SSL_ERROR_RX_RECORD_TOO_LONG error in the browser:

   HTTP/1.1 200 Connection established
   HTTP/1.1 403 Forbidden

After reading the wiki (https://wiki.squid-cache.org/Features/SslPeekAndSplice)
I suspect this has to do with the "fake" CONNECT request, which I guess fail
to pass the http_access rule. But why would squid send 2 replies? Is this
a bug?

Adding this line:

   http_access allow step2

seems to "fix" the problem, but I'm not sure if this is the right thing to do?

Squid version is 4.6 on debian recompiled with ssl support.



More information about the squid-users mailing list