[squid-users] Checking SSL bump status in http_access

Steve Hill steve at opendium.com
Thu Aug 18 09:18:35 UTC 2016


On 17/08/16 17:18, Alex Rousskov wrote:

> This configuration problem should be at least partially addressed by the
> upcoming annotate_transaction ACLs inserted into ssl_bump rules:
> http://lists.squid-cache.org/pipermail/squid-dev/2016-July/006146.html

That looks good.  When implementing this, beware the note in comment 3 
of bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340#c3
"for transparent connections, the NotePairs instance used during the 
step-1 ssl_bump ACL is not the same as the instance used during the 
http_access ACL, but for non-transparent connections they are the same 
instance.  The upshot is that any notes set by an external ACL when 
processing the ssl_bump ACL during step 1 are discarded when handling 
transparent connections."  - It would greatly reduce the functionality 
of your proposed ACLs if the annotations were sometimes discarded part 
way through a connection or request.

Something I've been wanting to do for a while is attach a unique 
"connection ID" and "request ID" to requests so that:
1. An ICAP server can make decisions about the connection (e.g. how to 
authenticate, whether to bump, etc.) and then refer back to the data it 
knows/generated about the connection when it processes the requests 
contained within that connection.
2. When multiple ICAP requests will be generated, they can be linked 
together by the ICAP server - e.g. where a single request will generate 
a REQMOD followed by a RESPMOD it would be good for the ICAP server to 
know which REQMOD and RESPMOD relate to the same request.

It sounds like your annotations plan may address this to some extent. 
(We can probably already do some of this by having the ICAP server 
generate unique IDs and store them in ICAP headers to be passed along 
with the request, but I think the bug mentioned above would cause those 
headers to be discarded mid-request in some cases)

-- 
  - Steve Hill
    Technical Director
    Opendium    Online Safety / Web Filtering    http://www.opendium.com

    Enquiries                 Support
    ---------                 -------
    sales at opendium.com        support at opendium.com
    +44-1792-824568           +44-1792-825748


More information about the squid-users mailing list