[squid-dev] [PATCH] Fix external_acl problems

Amos Jeffries squid3 at treenet.co.nz
Mon Feb 1 14:23:28 UTC 2016


On 2/02/2016 2:32 a.m., Dave Lewthwaite wrote:
> Hi Christos,
> 
> Sorry my apologies - I had my build env a bit mixed up. Anyway I’ve cleared that down and re-applied the patch - it’s all working now which is excellent news (http_port / CONNECT and https_port / transparent/intercept).
> 

Hurrah! :-)

> For clarity - 
> 
> Reviewion: squid-4.0.4-20160111-r14487
> Patch applied cleanly with
> patch -p0 < ../cert_subject_gone-t4.patch 
> 
> 
> It wouldn’t apply cleanly to the latest nightly.
> 
> May be related - the %>ru field in the ACL is now logged as host:port for http_port/CONNECT and ip:port for https_port/transparent - is the ‘:port’ expected? If so then I will modify our external ACL to strip it off before performing comparison.
> 

It should show what was received from the client.

CONNECT request is expected to have IP:port or host:port depending on
what info is available. Due to SNI intercepted port 443 traffic may be
either IP:port or sni:port on the synthetic CONNET request.

Other requests with URL scheme:// are expected to omit the :port if it
is the registered default port for that scheme (ie https:// means no
":443", http:// no ":80", ftp:// no ":21", etc) but otherwise always
include the :port.


> When are you targeting 4.0 to be released?
> 

The next beta (4.0.5) should be out in the next few days.

4.1 (stable) will be out as soon as we have a 10 day period with no
major bugs existing and no new bugs being found. No certain timeline on
when that will occur.

Amos



More information about the squid-dev mailing list