[squid-users] Squid sends 2 replies after peek/splice when using an user-agent http_access rule
Gaƫl Ranaivo
granaivo at olfeo.com
Wed Sep 25 17:27:43 UTC 2019
Hello,
Here is a minimal squid config that demonstrates this weird issue:
http_port 3128 ssl-bump tls-cert=/tmp/cert.pem tls-key=/tmp/key.pem
acl regua browser .*Firefox.*
http_access allow regua
http_access deny all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl youtube dstdomain .youtube.com
ssl_bump peek step1
ssl_bump splice step2 youtube
ssl_bump bump step2 all
With this config and using Firefox to go to https://youtube.com/,
squid replies to the CONNECT with 2 different replies, causing
an SSL_ERROR_RX_RECORD_TOO_LONG error in the browser:
HTTP/1.1 200 Connection established
HTTP/1.1 403 Forbidden
After reading the wiki (https://wiki.squid-cache.org/Features/SslPeekAndSplice)
I suspect this has to do with the "fake" CONNECT request, which I guess fail
to pass the http_access rule. But why would squid send 2 replies? Is this
a bug?
Adding this line:
http_access allow step2
seems to "fix" the problem, but I'm not sure if this is the right thing to do?
Squid version is 4.6 on debian recompiled with ssl support.
Regards,
--
Gael
More information about the squid-users
mailing list