[squid-dev] FW: [squid-users] Reverse proxy for HTTPS cloudfront server
Eliezer Croitoru
eliezer at ngtech.co.il
Tue Feb 14 22:57:24 UTC 2017
Forwarding the subject to the squid development list.
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Craig Gowing
Sent: Tuesday, February 14, 2017 12:52 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Reverse proxy for HTTPS cloudfront server
>From what I can tell the SNI is not added for cache peers. In
Ssl::PeerConnector::initializeSsl if "peer" is set then the call to
Ssl::setClientSNI is skipped. Also the SSL context doesn't have the hostname
or a callback set, and sslCreateClientContext doesn't appear to be able to
set it either.
I've tested with a quick patch which appears to the fix the issue: (however
I feel it should take into account the forcedomain option as well)
diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc
index f5d4c81..178c685 100644
--- a/src/ssl/PeerConnector.cc
+++ b/src/ssl/PeerConnector.cc
@@ -133,6 +133,7 @@ Ssl::PeerConnector::initializeSsl()
if (peer) {
SBuf *host = new SBuf(peer->ssldomain ? peer->ssldomain :
peer->host);
SSL_set_ex_data(ssl, ssl_ex_index_server, host);
+ Ssl::setClientSNI(ssl, host->c_str());
if (peer->sslSession)
SSL_set_session(ssl, peer->sslSession);
--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Reverse-proxy-for-HTTPS-cloudfront-server-tp4681533p4681542.html
Sent from the Squid - Users mailing list archive at Nabble.com.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-dev
mailing list