[squid-users] SSL connction failed due to SNI after content redirection
Alex Wu
alex_wu2012 at hotmail.com
Mon Jul 20 17:28:49 UTC 2015
With 3.5.6 code, we found one thing is broken.
We used pyredir to rewrite request to a surrogated server enabled SSL connection.
Also, we enable this in squid.conf:
url_rewrite_host_header on
We expect a request to www.foo.com is changed to www.foo-internal.com.
squid sends the request with the host header rewritten by pyredir as www.foo-internal.com , but it fails connecting to the server withSSL enabled due to SNI hostname selection (it is under SSLBUMP). We did this change to get it work:
--- a/squid-3.5.6/src/ssl/PeerConnector.cc
+++ b/squid-3.5.6/src/ssl/PeerConnector.cc
@@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl()
// Use SNI TLS extension only when we connect directly
// to the origin server and we know the server host name.
- const char *sniServer = hostName ? hostName->c_str() :
- (!request->GetHostIsNumeric() ? request->GetHost() : NULL);
+ const char *sniServer = hostName->c_str();
+ if ( request->flags.redirected && ::Config.onoff.redir_rewrites_host) {
+ sniServer = !request->GetHostIsNumeric() ? request->GetHost() : NULL;
+ }
if (sniServer) {
debugs(83, 5, "SNIserve " << sniServer);
Ssl::setClientSNI(ssl, sniServer);
Is this correct?
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150720/cd8406b6/attachment-0001.html>
More information about the squid-users
mailing list