[squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT
Alex Rousskov
rousskov at measurement-factory.com
Tue Aug 23 03:44:15 UTC 2016
On 08/22/2016 08:14 PM, Marcus Kool wrote:
> Thanks for your reply.
> I will start changing the wiki page.
> When I think I am done, I will let you know for a review.
It is best to commit all your intended changes at once (if at all)
rather than to use the public page as a scratch pad -- folks read what
you commit.
> The fake CONNECT _is_ desired, but with FQDN, to
I am not sure whether you are making a general/universal claim (as in
"nobody needs CONNECTs without FQDN") or just documenting your
particular use case. I assume it is the latter. Please note that the
wiki page should focus on the general case (but may document specific
use cases as well, of course).
> 1) have no differences in the CONNECT information sent to
> the URL rewriter in normal proxy mode and in transparent
> intercept mode.
You do not control what is being sent to the rewriter in a forward proxy
mode. Some HTTPS clients use FQDNs, some use IP addresses.
> 2) be able to filter. The url rewriter cannot filter based
> on the IP address, it needs a FQDN/SNI.
Some rewriters can.
>> Note that CONNECTs should be sent both during step1 and during step2 by
>> default.
> I think I missed something. The URL rewriter on my systems only get IP
> addresses, never SNI/FQDN. And never receives two CONNECTS (i.e. one
> at step1 and one at step2).
This is a bug or a missing feature [in your Squid?] IMHO.
> Can I configure Squid to send a fake CONNECT during step2 ?
It should be done automatically IIRC.
> What is "during"?
Each step starts with obtaining specific information (TCP client, SSL
client, or SSL server) and ends with evaluating ssl_bump rules. The
whole callout sequence happens in-between:
http://wiki.squid-cache.org/ProgrammingGuide/Architecture?#HTTP_Request
Disclaimer: This is a rough/approximate description. There may be
exceptions or special cases in certain environments.
> Is the CONNECT sent at the end of step2 so it can send the SNI?
IIRC, it should be sent both during step1 and during step2. I believe
there are rewriters that use SNI information in interception environments.
HTH,
Alex.
More information about the squid-users
mailing list