[squid-dev] Alternate origin server selection
Alex Rousskov
rousskov at measurement-factory.com
Thu Oct 28 17:16:37 UTC 2021
On 10/28/21 12:39 PM, Steve Hill wrote:
> On 28/10/2021 16:41, Alex Rousskov wrote:
>> AFAICT, the primary obstacle here is that Squid pins the connection
>> while obtaining the origin server certificate.
> Well, I can't see why Squid needs the origin certificate - it should be
> able to make a decision off the SNI before connecting to the origin server.
Squid does not "need" any of this, of course. Configuration and/or bugs
force Squid to do what it does. If your decision-making process does not
involve the certificate, then you should be able to rewrite the fake
CONNECT request during SslBump step2, without (or before) telling Squid
to stare at the certificate (and pin the resulting connection).
There are bugs in this area, including bugs that may prevent certain
CONNECT adaptations from happening. We are fixing one of those bugs
right now. For details, you can see an unpolished/unofficial pull
request at https://github.com/measurement-factory/squid/pull/108
> I didn't seem to be able to make the decision prior to the connection
> being pinned though. I'm not sure why - I will go back and investigate
> further.
Sounds like a plan!
Cheers,
Alex.
More information about the squid-dev
mailing list