[squid-users] Checking SSL bump status in http_access
Alex Rousskov
rousskov at measurement-factory.com
Wed Aug 17 16:18:23 UTC 2016
On 08/16/2016 05:12 PM, Amos Jeffries wrote:
> On 17/08/2016 2:22 a.m., Steve Hill wrote:
>> Is there a way of figuring out if the current request is a bumped
>> request when the http_access ACL is being checked? i.e. can we tell the
>> difference between a GET request that is inside a bumped tunnel, and an
>> unencrypted GET request?
> In Squid-3 a combo of the myportname and proto ACLs should do that.
>
> In Squid-4 the above, or the connections_encrypted ACL type.
In both cases, please be extra careful with CONNECT requests (real or
fake) that precede bumped traffic but also go through http_access rules
and with unencrypted https:// requests that some Squids may receive.
Since bumping is not a instantaneous decision but a long process,
possibly involving several CONNECT requests, and since other traffic,
especially in complicated deployments can have properties similar to
bumped requests, it is often difficult to write correct "this HTTP
request was bumped" ACLs.
This configuration problem should be at least partially addressed by the
upcoming annotate_transaction ACLs inserted into ssl_bump rules:
http://lists.squid-cache.org/pipermail/squid-dev/2016-July/006146.html
HTH,
Alex.
More information about the squid-users
mailing list