[squid-users] grab hostnames via SNI to use it for parent proxy

Atman Sense atman.sense at zise.de
Fri Jun 12 21:04:39 UTC 2015


Am 2015-06-05 00:22, schrieb Amos Jeffries:
> 
> You can block by SNI in the ssl_bump checks without having bumped the
> connection.
> 
> Like so:
> 
>  # get the public TLS metadata (includes SNI)
>  ssl_bump peek all
> 
>  # block based on SNI matching (or server cert matching)
>  acl blocked ssl::server_name .example.com
>  ssl_bump terminate blocked
> 
>  # tunnel (no decrypting) for everything else
>  ssl_bump splice all
> 
> 
> Note that you do have to allow the "CONNECT raw-IP:443 ..." requests
> through http_access to the bumping logics.
> 

that's nice. Thanks for that.

It would be nice if I could handle the blocklist on privoxy centrally 
(my users want to disable the blocks occasionally and can do that 
through a privoxy web interface). I tried to find out when squid is 
sending "CONNECT IP:PORT" to the parent proxy in hope to manipulate it 
to "CONNECT HOSTNAME:PORT". And I found it in tunnel.cc:1052 
(mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url);). After some 
investigating with gdb, I found the SNI hostname in this context in 
tunnelState->http->getConn()->serverBump()->clientSni.c_str(). Currently 
I'm testing with this patch:

--- src/tunnel.cc   2015-05-01 13:27:20.000000000 +0200
+++ src/tunnel.cc   2015-06-07 14:10:37.098895939 +0200
@@ -1049,7 +1049,13 @@
      flags.proxying = tunnelState->request->flags.proxying;
      MemBuf mb;
      mb.init();
-    mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url);
+    //use SNI hostname if it exists
+    if 
(strlen(tunnelState->http->getConn()->serverBump()->clientSni.c_str()) > 
1) {
+        mb.Printf("CONNECT %s:%hu HTTP/1.1\r\n", 
tunnelState->http->getConn()->serverBump()->clientSni.c_str(), 
tunnelState->request->port);
+    } else {
+        mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url);
+    }
+
      
HttpStateData::httpBuildRequestHeader(tunnelState->request.getRaw(),
                                            NULL,         /* StoreEntry 
*/
                                            tunnelState->al,          /* 
AccessLogEntry */

This works quite well, but when privoxy blocks a "CONNECT" request, 
squid doesn't understand it and the client connection is keeped open 
until the client times out:
     HttpMsg.cc(176) parse: HttpMsg::parse success (275 bytes) near 
'HTTP/1.1 403 Request blocked by Privoxy'
     tunnel.cc(459) logicError: local=xxx:42093 remote=xxx:8118 FD 17 
flags=1 closing on error: unsupported CONNECT response status code
A look in tunnel.cc reveals, that it only accept HTTP 200. Thats ok, but 
it would be nice to disconnect both client and parent proxy to avoid 
timeouts. Do you have an idea how to disconnect the client immediately 
after non HTTP 200 responses?



More information about the squid-users mailing list