[squid-users] Checking SSL bump status in http_access
Steve Hill
steve at opendium.com
Thu Aug 18 09:18:35 UTC 2016
On 17/08/16 17:18, Alex Rousskov wrote:
> This configuration problem should be at least partially addressed by the
> upcoming annotate_transaction ACLs inserted into ssl_bump rules:
> http://lists.squid-cache.org/pipermail/squid-dev/2016-July/006146.html
That looks good. When implementing this, beware the note in comment 3
of bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340#c3
"for transparent connections, the NotePairs instance used during the
step-1 ssl_bump ACL is not the same as the instance used during the
http_access ACL, but for non-transparent connections they are the same
instance. The upshot is that any notes set by an external ACL when
processing the ssl_bump ACL during step 1 are discarded when handling
transparent connections." - It would greatly reduce the functionality
of your proposed ACLs if the annotations were sometimes discarded part
way through a connection or request.
Something I've been wanting to do for a while is attach a unique
"connection ID" and "request ID" to requests so that:
1. An ICAP server can make decisions about the connection (e.g. how to
authenticate, whether to bump, etc.) and then refer back to the data it
knows/generated about the connection when it processes the requests
contained within that connection.
2. When multiple ICAP requests will be generated, they can be linked
together by the ICAP server - e.g. where a single request will generate
a REQMOD followed by a RESPMOD it would be good for the ICAP server to
know which REQMOD and RESPMOD relate to the same request.
It sounds like your annotations plan may address this to some extent.
(We can probably already do some of this by having the ICAP server
generate unique IDs and store them in ICAP headers to be passed along
with the request, but I think the bug mentioned above would cause those
headers to be discarded mid-request in some cases)
--
- Steve Hill
Technical Director
Opendium Online Safety / Web Filtering http://www.opendium.com
Enquiries Support
--------- -------
sales at opendium.com support at opendium.com
+44-1792-824568 +44-1792-825748
More information about the squid-users
mailing list