[squid-dev] request for change handling hostStrictVerify
Alex Rousskov
rousskov at measurement-factory.com
Tue Nov 2 15:26:47 UTC 2021
On 11/2/21 4:25 AM, kk at sudo-i.net wrote:
>
> On Monday, November 01, 2021 14:58 GMT, Alex Rousskov
> <rousskov at measurement-factory.com> wrote:
>
>> On 11/1/21 3:59 AM, kk at sudo-i.net wrote:
>> > On Saturday, October 30, 2021 01:14 GMT, Alex Rousskov wrote:
>> >> >> AFAICT, in the majority of deployments, the mismatch between the
>> >> >> intended IP address and the SNI/Host header can be correctly handled
>> >> >> automatically and without creating serious problems for the
>> user. Squid
>> >> >> already does the right thing in some cases. Somebody should
>> carefully
>> >> >> expand that coverage to intercepted traffic. Frankly, I am somewhat
>> >> >> surprised nobody has done that yet given the number of complaints!
>>
>> > Not sure what do you mean with "Somebody should carefully expand that
>> > coverage to intercepted traffic"?
>>
>> I meant that somebody should create a high-quality pull request that
>> modifies Squid source code to properly address the problem you, AFAICT,
>> are suffering from. There is already code that handles similar
>> situations correctly.
> I will try to implement it.
Please note that implementing correct changes in this area may be
difficult, especially if you are not familiar with relevant Squid code
and the invariants it is trying to uphold. Please do not expect the
changes to be officially accepted just because they "work" in your use case.
It is your call whether or how to approach this task, but if you find
yourself modifying a lot of Squid code, especially code that seems
mysterious, you might want to pause and sketch a solution for the
discussion here on squid-dev or via a Draft PR on GitHub.
HTH,
Alex.
More information about the squid-dev
mailing list