[squid-dev] [PATCH] Bump SSL client on [more] errors encountered before ssl_bump evaluation

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 4 14:07:43 UTC 2017


On 4/02/2017 8:27 a.m., Christos Tsantilas wrote:
> ... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
> http_access deny rule match.
> 
> The old code allowed ssl_bump step1 rules to be evaluated in the
> presence of an error. An ssl_bump splicing decision would then trigger
> the useless "send the error to the client now" processing logic instead
> of going down the "to serve an error, bump the client first" path.
> 
> Furthermore, the ssl_bump evaluation result itself could be surprising
> to the admin because ssl_bump (and most other) rules are not meant to be
> evaluated for a transaction in an error state. This complicated triage.
> 
> Also polished an important comment to clarify that we want to bump on
> error if (and only if) the SslBump feature is applicable to the failed
> transaction (i.e., if the ssl_bump rules would have been evaluated if
> there were no prior errors). The old comment could have been
> misinterpreted that ssl_bump rules must be evaluated to allow an
> "ssl_bump splice" match to hide the error.
> 
> This is a Measurement Factory project.
> 


+1. Please apply.

Amos



More information about the squid-dev mailing list