<div dir="ltr"><div><div><div><div><div><div>I found out what is wrong, but I am not familar to squid code, so I post here to see if someone can show me the next step:<br><br></div>The problem is at this part of code:<br>void<br>ClientHttpRequest::sslBumpStart()<br>{<br> debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) <<<br> "-bumped CONNECT tunnel on FD " << getConn()->clientConnection);<br> getConn()->sslBumpMode = sslBumpNeed_;<br><br> AsyncCall::Pointer bumpCall = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish",<br> CommIoCbPtrFun(&SslBumpEstablish, this));<br><br> if (request->flags.interceptTproxy || request->flags.intercepted) {<br> CommIoCbParams ¶ms = GetCommParams<CommIoCbParams>(bumpCall);<br> params.flag = Comm::OK;<br> params.conn = getConn()->clientConnection;<br> ScheduleCallHere(bumpCall);<br> return;<br> }<br><br> // send an HTTP 200 response to kick client SSL negotiation<br> // TODO: Unify with tunnel.cc and add a Server(?) header<br> static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";<br> Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), bumpCall, NULL);<br>}<br><br></div>if require-proxy-header is not used, then request->flags.interceptTproxy is 0, and when requir-proxy-header is used, the<br></div>request->flags.interceptTproxy is 1!<br><br></div>since request->flags.interceptTproxy is 1, the 200 status code for CONNECT call is not sent. (The last part of code sending 200 status code is skipped.)<br><br></div>Any kind help?<br><br></div>Alex<br><div><div><div><div><div><div><br></div></div></div></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 14, 2015 at 10:05 AM, Yuhua Wu <span dir="ltr"><<a href="mailto:ywu@bitglass.com" target="_blank">ywu@bitglass.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I think, in the sslbump mode, if PROXY protocol is enabled, client cannot set up the SSL tunnel with squid after CONNECT call succeeds. I remember that HAProxy will send PROXY protocol line during ssl negotiation. If squid does not parse the PROXY protocol header during SSL negotiation, this will cause the problem.<br><br></div>Alex<br></div><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Mon, Apr 13, 2015 at 7:56 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br></span><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>On 14/04/2015 4:47 a.m., Yuhua Wu wrote:<br>
> For example, is this configuration supported?<br>
><br>
> http_port 3129 require-proxy-header ssl-bump ……<br>
><br>
> By the way, we added acl rules:<br>
><br>
> acl frontend src <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><br>
> proxy_protocol_access allow frontend<br>
><br>
> Alex<br>
><br>
<br>
</div></div>Yes that should work.<br>
<br>
<<a href="http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.7" target="_blank">http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.7</a>><br>
<br>
Your above config example decrypts the traffic through the following layers:<br>
HTTPS over HTTP/1.x over PROXY/TCP ...<br>
<br>
As you can see the PROXY and HTTPS layers are separate protocols that<br>
dont interact.<br>
<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div></div><br></div>
</blockquote></div><br></div>