[squid-users] Chrome auto-HTTPS-upgrade - not falling to http
Loučanský Lukáš
technik at kjj.cz
Fri Apr 5 12:16:09 UTC 2024
FYI
Squid Object Cache: Version 6.8-VCS
Build Info: GIT V6.8 commit 4bee0c8
Could you please somehow elaborate how this seems to be working?
acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL
acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT
#tunnel all for connection errors
on_unsupported_protocol tunnel SquidTLSErrorConnect
on_unsupported_protocol tunnel SquidSecureConnectFail
Is it a good or bad attempt? As I put redir.netcentrum.cz as an example
in my first post - now it seems to just request TCP_MISS/200 815 GET
http://redir.netcentrum.cz/? - ORIGINAL_DST/46.255.231.158 text/html -.
I do not think my chrome just decided this site is http only and call it
like this forever. I just did not see more SSL errors till yesterday . I
do not say I haven't seen any (during some fairly short period) - such
as SSL version errors, TLS inappropiate fallbacks, broken certs, no
common ciphers etc. - but now I could not find a site that does not work
(for me) - I have to ask my users. Anyway - squid seemed to have slight
problems downloading intermediate certificates - to work properly - so I
had to create a collection of several ones for myself (and some root
certificates too - for example from MS WU site etc.) - but this could be
just trouble with my Debian underlaying distro. (BTW I've alerady
implemented transaction_initiator certificate-fetching acl and have
http_access line for it)
L
Dne 03.04.2024 v 17:05 Alex Rousskov napsal(a):
> On 2024-04-03 02:14, Loučanský Lukáš wrote:
>
>> this has recently started me up more then let it go. For a while
>> chrome is upgrading in-page links to https.
> Just to add two more pieces of related information to this thread:
>
> Some Squid admins report that their v6-based code does not suffer from
> this issue while their v5-based code does. I have not verified those
> reports, but there may be more to the story here. What Squid version
> are _you_ using?
>
> One way to track progress with this annoying and complex issue is to
> follow the following pull request. The current code cannot be
> officially merged as is, and I would not recommend using it in
> production (because of low-level bugs that will probably crash Squid
> in some cases), but testing it in the lab and providing feedback to
> authors may be useful:
>
> https://github.com/squid-cache/squid/pull/1668
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240405/b9e23490/attachment.htm>
More information about the squid-users
mailing list