[squid-users] how to avoid use http/1.0 between squid and the target
Amos Jeffries
squid3 at treenet.co.nz
Mon Nov 27 09:40:00 UTC 2023
On 27/11/23 22:21, David Komanek wrote:
> here are the debug logs (IP addresses redacted) after connection attempt
> to https://samba.org/ :
>
...
> 2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) sendStartOfMessage:
> HTTP Client REPLY:
> ---------
> HTTP/1.1 400 Bad Request
> Server: squid/6.5
> Mime-Version: 1.0
> Date: Mon, 27 Nov 2023 08:58:07 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 3363
> X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
> Cache-Status: pteryx.natur.cuni.cz
> Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
> Connection: close
>
> So, it seems it's not true that squid is using http/1.0, but the guy on
> the other side told me so. According to the log, do you think I can
> somehow make it working or is it definitely problem on the samba.org
> webserver?
That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to
SSL-Bump the CONNECT tunnel and not understanding the protocol inside
the TLS layer - which is expected if that protocol is HTTP/2.
For now you should be able to use
<http://www.squid-cache.org/Doc/config/on_unsupported_protocol/> to
allow these tunnels. Alternatively use the "splice" action to explicitly
bypass the SSL-Bump process.
HTH
Amos
More information about the squid-users
mailing list