[squid-users] how to avoid use http/1.0 between squid and the target
David Komanek
david.komanek at natur.cuni.cz
Mon Nov 27 10:05:09 UTC 2023
On 11/27/23 10:40, Amos Jeffries wrote:
> On 27/11/23 22:21, David Komanek wrote:
>> here are the debug logs (IP addresses redacted) after connection
>> attempt to https://samba.org/ :
>>
> ...
>> 2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274)
>> sendStartOfMessage: HTTP Client REPLY:
>> ---------
>> HTTP/1.1 400 Bad Request
>> Server: squid/6.5
>> Mime-Version: 1.0
>> Date: Mon, 27 Nov 2023 08:58:07 GMT
>> Content-Type: text/html;charset=utf-8
>> Content-Length: 3363
>> X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
>> Cache-Status: pteryx.natur.cuni.cz
>> Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
>> Connection: close
>>
>> So, it seems it's not true that squid is using http/1.0, but the guy
>> on the other side told me so. According to the log, do you think I
>> can somehow make it working or is it definitely problem on the
>> samba.org webserver?
>
>
> That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to
> SSL-Bump the CONNECT tunnel and not understanding the protocol inside
> the TLS layer - which is expected if that protocol is HTTP/2.
>
>
> For now you should be able to use
> <http://www.squid-cache.org/Doc/config/on_unsupported_protocol/> to
> allow these tunnels. Alternatively use the "splice" action to
> explicitly bypass the SSL-Bump process.
Thank you for the quick response. So I should add
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
on_unsupported_protocol tunnel foreignProtocol
to the squid.conf, right?
Still, I don't understand, why is this case handled by my browsers (or
squid?) differently from usual HTTPS traffic to other sites. I suppose
that plenty of sites are accepting HTTP/2 nowadays. A huge lack of
knowledge on my side :-)
Sincerely,
David
More information about the squid-users
mailing list