[squid-users] how to avoid use http/1.0 between squid and the target
Amos Jeffries
squid3 at treenet.co.nz
Mon Nov 27 10:36:43 UTC 2023
On 27/11/23 23:05, David Komanek wrote:
>
> On 11/27/23 10:40, Amos Jeffries wrote:
>> On 27/11/23 22:21, David Komanek wrote:
>>> here are the debug logs (IP addresses redacted) after connection
>>> attempt to https://samba.org/ :
>>>
>> ...
>>> 2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274)
>>> sendStartOfMessage: HTTP Client REPLY:
>>> ---------
>>> HTTP/1.1 400 Bad Request
>>> Server: squid/6.5
>>> Mime-Version: 1.0
>>> Date: Mon, 27 Nov 2023 08:58:07 GMT
>>> Content-Type: text/html;charset=utf-8
>>> Content-Length: 3363
>>> X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
>>> Cache-Status: pteryx.natur.cuni.cz
>>> Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
>>> Connection: close
>>>
>>> So, it seems it's not true that squid is using http/1.0, but the guy
>>> on the other side told me so. According to the log, do you think I
>>> can somehow make it working or is it definitely problem on the
>>> samba.org webserver?
>>
>>
>> That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to
>> SSL-Bump the CONNECT tunnel and not understanding the protocol inside
>> the TLS layer - which is expected if that protocol is HTTP/2.
>>
>>
>> For now you should be able to use
>> <http://www.squid-cache.org/Doc/config/on_unsupported_protocol/> to
>> allow these tunnels. Alternatively use the "splice" action to
>> explicitly bypass the SSL-Bump process.
>
>
> Thank you for the quick response. So I should add
>
> acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
> on_unsupported_protocol tunnel foreignProtocol
>
> to the squid.conf, right?
At the point the error exists is too late AFAIK.
I was thinking something like:
acl foo dstdomain samba.org
on_unsupported_protocol tunnel foo
>
> Still, I don't understand, why is this case handled by my browsers (or
> squid?) differently from usual HTTPS traffic to other sites. I suppose
> that plenty of sites are accepting HTTP/2 nowadays. A huge lack of
> knowledge on my side :-)
I'm not clear exactly why you see this only now, and only with
samba.org. Squid not supporting HTTP/2 yet is a big part of the problem
though.
Cheers
Amos
More information about the squid-users
mailing list