[squid-dev] [PATCH] Non-HTTP bypass

Tsantilas Christos chtsanti at users.sourceforge.net
Wed Oct 15 18:30:19 UTC 2014 

Intercepting proxies often receive non-HTTP connections. Squid cannot 
currently deal with such connections well because it assumes that a 
given port receives HTTP, FTP, or HTTPS traffic exclusively. This patch 
allows Squid to tunnel unexpected connections instead of terminating 
them with an error.

This patch:
    -Defines an unexpected connection as a connection that resulted in a 
Squid error during first request parsing. Which errors trigger tunneling 
behavior is configurable by the admin using ACLs.

   - Adds "on_first_request_error", a new ACL-driven squid.conf 
directive that can be used to establish a blind TCP tunnel which relays 
all bytes from/to the intercepted connection to/from the intended 
destination address. See the sketch above.
The on_first_request_error directive supports fast ACLs only.

   - Adds "squid_error", a new ACL type to match transactions that 
triggered a given Squid error. Squid error IDs are used to configure one 
or more errors to match. This is similar to the existing ssl_error ACL 
type but works with Squid-generated errors rather than SSL library errors.

   - Adds "ERR_WRONG_PROTOCOL", a new Squid error triggered for 
http_port connections that start with something that lacks even basic 
HTTP request structure. This error is triggered by the HTTP request 
parser, and probably only when/after the current parsing code detects an 
error.

   Adds "request_start_timeout", a new squid.conf directive to trigger a 
new Squid ERR_REQUEST_START_TIMEOUT error if no bytes are received from 
the client on a newly established http_port connection during the 
configured time period. Applies to all http_ports (for now).

No support for tunneling through cache_peers is included. Configurations
that direct outgoing traffic through a peer may break Squid.

Configuration sketch:

    # define what Squid errors indicate receiving non-HTTP traffic:
    acl foreignProtocol squid_error ERR_WRONG_PROTOCOL ERR_TOO_BIG

    # define what Squid errors indicate receiving nothing:
    acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT

    # tunnel everything that does not look like HTTP:
    on_first_request_error tunnel foreignProtocol

    # tunnel if we think the client waits for the server to talk first:
    on_first_request_error tunnel serverTalksFirstProtocol

    # in all other error cases, just send an HTTP "error page" response:
    on_first_request_error respond all

    # Configure how long to wait for the first byte on the incoming
    # connection before raising an ERR_REQUEST_START_TIMEOUT error.
    request_start_timeout 5 seconds

For more informations please read patch preamble.

This is a Measurement Factory project

-------------- next part --------------
A non-text attachment was scrubbed...
Name: trunk-non-HTTP-bypass-v5.patch.gz
Type: application/x-tar
Size: 20858 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20141015/4d6c7a8f/attachment-0001.tar>

More information about the squid-dev mailing list