[squid-dev] [PATCH] Bump SSL client on [more] errors encountered before ssl_bump evaluation

Christos Tsantilas christos at chtsanti.net
Mon Feb 6 17:07:39 UTC 2017


Applied to trunk as r15036.

I am attaching the patch for squid-3.5


On 04/02/2017 04:07 μμ, Amos Jeffries wrote:
> On 4/02/2017 8:27 a.m., Christos Tsantilas wrote:
>> ... such as ERR_ACCESS_DENIED with HTTP/403 Forbidden triggered by an
>> http_access deny rule match.
>>
>> The old code allowed ssl_bump step1 rules to be evaluated in the
>> presence of an error. An ssl_bump splicing decision would then trigger
>> the useless "send the error to the client now" processing logic instead
>> of going down the "to serve an error, bump the client first" path.
>>
>> Furthermore, the ssl_bump evaluation result itself could be surprising
>> to the admin because ssl_bump (and most other) rules are not meant to be
>> evaluated for a transaction in an error state. This complicated triage.
>>
>> Also polished an important comment to clarify that we want to bump on
>> error if (and only if) the SslBump feature is applicable to the failed
>> transaction (i.e., if the ssl_bump rules would have been evaluated if
>> there were no prior errors). The old comment could have been
>> misinterpreted that ssl_bump rules must be evaluated to allow an
>> "ssl_bump splice" match to hide the error.
>>
>> This is a Measurement Factory project.
>>
>
>
> +1. Please apply.
>
> Amos
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: SQUID-272-Blocked-CONNECT-request-not-bumped-squid-3.5-t3.patch
Type: text/x-patch
Size: 5412 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20170206/72c8088c/attachment.bin>


More information about the squid-dev mailing list