[squid-users] clarifying Features/SslPeekAndSplice on wiki + fake CONNECT

Alex Rousskov rousskov at measurement-factory.com
Tue Aug 23 03:44:15 UTC 2016


On 08/22/2016 08:14 PM, Marcus Kool wrote:
> Thanks for your reply.
> I will start changing the wiki page.
> When I think I am done, I will let you know for a review.

It is best to commit all your intended changes at once (if at all)
rather than to use the public page as a scratch pad -- folks read what
you commit.


> The fake CONNECT _is_ desired, but with FQDN, to

I am not sure whether you are making a general/universal claim (as in
"nobody needs CONNECTs without FQDN") or just documenting your
particular use case. I assume it is the latter. Please note that the
wiki page should focus on the general case (but may document specific
use cases as well, of course).


> 1) have no differences in the CONNECT information sent to
>    the URL rewriter in normal proxy mode and in transparent
>    intercept mode.

You do not control what is being sent to the rewriter in a forward proxy
mode. Some HTTPS clients use FQDNs, some use IP addresses.


> 2) be able to filter.  The url rewriter cannot filter based
>    on the IP address, it needs a FQDN/SNI.

Some rewriters can.


>> Note that CONNECTs should be sent both during step1 and during step2 by
>> default.

> I think I missed something.  The URL rewriter on my systems only get IP
> addresses, never SNI/FQDN.  And never receives two CONNECTS (i.e. one
> at step1 and one at step2).

This is a bug or a missing feature [in your Squid?] IMHO.


> Can I configure Squid to send a fake CONNECT during step2 ?

It should be done automatically IIRC.


> What is "during"?

Each step starts with obtaining specific information (TCP client, SSL
client, or SSL server) and ends with evaluating ssl_bump rules. The
whole callout sequence happens in-between:
http://wiki.squid-cache.org/ProgrammingGuide/Architecture?#HTTP_Request

Disclaimer: This is a rough/approximate description. There may be
exceptions or special cases in certain environments.


> Is the CONNECT sent at the end of step2 so it can send the SNI?

IIRC, it should be sent both during step1 and during step2. I believe
there are rewriters that use SNI information in interception environments.


HTH,

Alex.



More information about the squid-users mailing list