[squid-dev] [PATCH] ConnStateData flexible transport support

Amos Jeffries squid3 at treenet.co.nz
Tue Oct 21 11:14:07 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Applied as trunk rev.13661 with polishing.

I dropped the ssl-bumped flag change since there was no feedback on it
working, and added appropriate resets when the new "splice" bumping
decision leaves the connection as HTTP with opaque payload.

Amos

On 29/04/2014 1:10 a.m., Amos Jeffries wrote:
> We are quickly approaching a time when a client connection can
> freely migrate between protocols or versions of protocols. Already
> we have ssl-bump which can switch a connection from HTTP to HTTPS.
> I am expecting switching HTTP<->HTTPS via Upgrade, and
> HTTP/1<->HTTP/2 via "magic", Upgrade, or ALPN.
> 
> Based on ssl-bump experience with switchedToHttps() and the pain
> that can be predicted when there are several permutations of such
> accessors to test against I am proposing the attached patch.
> 
> 
> * Add a transportVersion member to ConnStateData which holds the
> current protocol to be used over the clientConnection socket. This
> variable can be altered whenever necessary to cause an on-wire
> protocol change. New connections default to the protocol signalled
> in the http(s)_port directive.
> 
> * ssl-bump transforms the transportVersion from whatever it was 
> previously (usually HTTP or HTTPS) to HTTPS. - Also updated
> ssl-bump to set the traffic type flag tunnelSslBumped on 
> non-intercept traffic, which can be assumed to be a CONNECT
> request.
> 
> * transparent and reverse-proxy URL reconstruction is updated to
> use the new member instead of the http(s)_port protocol= setting.
> This removes edge conditions where the URL reconstructor needs to
> figure out ssl-bump existence.
> 
> 
> Christos, I would like some help with two ssl-bump related things
> if you have the time spare:
> 
> 1) testing the new prepareTransparentURL reconstruction works on 
> ssl-bumped traffic.
> 
> 2) finding switchedToHttps() usage that can be replaced. When
> ssl-bump is operating we should now always have one of these 
> conditions being true: a) ConnStateData::port->flags.tunnelSslBump 
> b) ConnStateData::port->intercepted() && 
> ConnStateData::transportVersion.protocol==AnyP::PROTO_HTTPS
> 
> The second one is low-priority even if this patch gets added. We
> will find them later anyway as the code polishing progresses.
> 
> Amos
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJURj/+AAoJELJo5wb/XPRjR6YH/0fkkqt6vgOZg7BFw7E5K6gO
dKG8KoRArLlTwY7yRLRP/+urVYXDc7/Zv4+hKAPreXFUXpW3Ir5gQjO0UEtHZ62S
GQbKaCUIm9sEp43F9mcfVDS/WxRposScQ0akjjisIjzFmIORwI6HEUaO7EUlws8N
Nq+YrPJa3vmTIYtjSM7xpbPFXi1JP/WKyDBXFDoEp5g/Dtovdnnw1RZ3sURMCKqc
aA7MMcjXPVPLMjte3rs4RrefgT+Zp6Rt/WhZeRCC6sYVWd6Kpu7OfPr9dPiNdw+T
zWkPgD5cSidH05SBavrLvptNJLkHozWgFDxuI9owk8yUOwp0Lwbtw3IvAD7tIv4=
=LSyg
-----END PGP SIGNATURE-----


More information about the squid-dev mailing list