<div dir="ltr"><div><div><div>I worked a fix:<br><br>diff --git a/squid-3.5.1/src/client_side.cc b/squid-3.5.1/src/client_side.cc<br>index d72e8c4..025316d 100644<br>--- a/squid-3.5.1/src/client_side.cc<br>+++ b/squid-3.5.1/src/client_side.cc<br>@@ -3045,7 +3045,8 @@ ConnStateData::parseProxy1p0()<br>         debugs(33, 5, "PROXY/1.0 protocol on connection " << clientConnection);<br>         clientConnection->local = originalDest;<br>         clientConnection->remote = originalClient;<br>-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.<br>+        if (clientConnection->flags & COMM_TRANSPARENT)<br>+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.<br>         debugs(33, 5, "PROXY/1.0 upgrade: " << clientConnection);<br><br>         // repeat fetch ensuring the new client FQDN can be logged<br>@@ -3135,14 +3136,16 @@ ConnStateData::parseProxy2p0()<br>         clientConnection->local.port(ntohs(ipu.ipv4_addr.dst_port));<br>         clientConnection->remote = ipu.ipv4_addr.src_addr;<br>         clientConnection->remote.port(ntohs(ipu.ipv4_addr.src_port));<br>-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.<br>+        if (clientConnection->flags & COMM_TRANSPARENT)<br>+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.<br>         break;<br>     case 0x2: // IPv6         clientConnection->local = ipu.ipv6_addr.dst_addr;<br>         clientConnection->local.port(ntohs(ipu.ipv6_addr.dst_port));<br>         clientConnection->remote = ipu.ipv6_addr.src_addr;<br>         clientConnection->remote.port(ntohs(ipu.ipv6_addr.src_port));<br>-        clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.<br>+        if (clientConnection->flags & COMM_TRANSPARENT)<br>+            clientConnection->flags ^= COMM_TRANSPARENT; // prevent TPROXY spoofing of this new IP.<br>         break;<br>     default: // do nothing<br>         break;<br>                 <br></div>I assume the intention of code is to turn off COMM_TRANSPARENT if PROXY protocol is used.<br><br></div>Is this proper change? At least, it works for me now,<br><br></div>Alex<br><div><div><div><br></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 14, 2015 at 3:14 PM, Yuhua Wu <span dir="ltr"><<a href="mailto:ywu@bitglass.com" target="_blank">ywu@bitglass.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div>I found out what is wrong, but I am not familar to squid code, so I post here to see if someone can show me the next step:<br><br></div>The problem is at this part of code:<br>void<br>ClientHttpRequest::sslBumpStart()<br>{<br>    debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) <<<br>           "-bumped CONNECT tunnel on FD " << getConn()->clientConnection);<br>    getConn()->sslBumpMode = sslBumpNeed_;<br><br>    AsyncCall::Pointer bumpCall = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish",<br>                                  CommIoCbPtrFun(&SslBumpEstablish, this));<br><br>    if (request->flags.interceptTproxy || request->flags.intercepted) {<br>        CommIoCbParams &params = GetCommParams<CommIoCbParams>(bumpCall);<br>        params.flag = Comm::OK;<br>        params.conn = getConn()->clientConnection;<br>        ScheduleCallHere(bumpCall);<br>        return;<br>    }<br><br>    // send an HTTP 200 response to kick client SSL negotiation<br>    // TODO: Unify with tunnel.cc and add a Server(?) header<br>    static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";<br>    Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), bumpCall, NULL);<br>}<br><br></div>if require-proxy-header is not used, then request->flags.interceptTproxy is 0, and when requir-proxy-header is used, the<br></div>request->flags.interceptTproxy is 1!<br><br></div>since request->flags.interceptTproxy is 1, the 200 status code for CONNECT call is not sent. (The last part of code sending 200 status code is skipped.)<br><br></div>Any kind help?<br><br></div>Alex<br><div><div><div><div><div><div><br></div></div></div></div></div></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 14, 2015 at 10:05 AM, Yuhua Wu <span dir="ltr"><<a href="mailto:ywu@bitglass.com" target="_blank">ywu@bitglass.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I think, in the sslbump mode, if PROXY protocol is enabled, client cannot set up the SSL tunnel with squid after CONNECT call succeeds. I remember that HAProxy will send PROXY protocol line during ssl negotiation. If squid does not parse the PROXY protocol header during SSL negotiation, this will cause the problem.<br><br></div>Alex<br></div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Mon, Apr 13, 2015 at 7:56 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br></span><div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>On 14/04/2015 4:47 a.m., Yuhua Wu wrote:<br>
> For example, is this configuration supported?<br>
><br>
> http_port 3129 require-proxy-header ssl-bump ……<br>
><br>
> By the way, we added acl rules:<br>
><br>
> acl frontend src <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>
> proxy_protocol_access allow frontend<br>
><br>
> Alex<br>
><br>
<br>
</div></div>Yes that should work.<br>
<br>
<<a href="http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.7" target="_blank">http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.7</a>><br>
<br>
Your above config example decrypts the traffic through the following layers:<br>
  HTTPS over HTTP/1.x over PROXY/TCP ...<br>
<br>
As you can see the PROXY and HTTPS layers are separate protocols that<br>
dont interact.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div></div><br></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>