[squid-users] Squid sends 2 replies after peek/splice when using an user-agent http_access rule

Alex Rousskov rousskov at measurement-factory.com
Wed Sep 25 21:22:11 UTC 2019

On 9/25/19 1:27 PM, Gaël Ranaivo wrote:

> Here is a minimal squid config that demonstrates this weird issue:
>   http_port 3128 ssl-bump tls-cert=/tmp/cert.pem tls-key=/tmp/key.pem
>   acl regua browser .*Firefox.*
>   http_access allow regua
>   http_access deny all
>   acl step1 at_step SslBump1
>   acl step2 at_step SslBump2
>   acl youtube dstdomain .youtube.com
>   ssl_bump peek step1
>   ssl_bump splice step2 youtube
>   ssl_bump bump step2 all
> With this config and using Firefox to go to https://youtube.com/,
> squid replies to the CONNECT with 2 different replies, causing
> an SSL_ERROR_RX_RECORD_TOO_LONG error in the browser:
>   HTTP/1.1 200 Connection established
>   HTTP/1.1 403 Forbidden

If the second response is sent in plain text, without waiting for an
encrypted request from the browser, then this is a Squid bug.

If the second response is sent encrypted, after receiving an encrypted
GET (or similar) request from the browser, then this is intended (for
now) behavior: SslBump bumps tunnels to report errors to users because
browsers refuse to support CONNECT errors properly.

> Adding this line:
>   http_access allow step2
> seems to "fix" the problem, but I'm not sure if this is the right thing
> to do?

Using step2 like that feels dangerous and goes against (possibly
excessively conservative) at_step documentation.

If you want to allow all CONNECT requests, I would allow all CONNECT
requests explicitly instead of (ab)using step2 ACL to do the same.



> Squid version is 4.6 on debian recompiled with ssl support.

More information about the squid-users mailing list