[squid-users] Wrong req_header result in cache_peer_access when using ssl_bump

Alex Rousskov rousskov at measurement-factory.com
Fri Jul 15 19:18:36 UTC 2016


On 07/15/2016 12:11 PM, Mihai Ene wrote:
> I have a working ssl_bump
> configuration when using direct connections. However, cache_peer and
> cache_peer_access have req_header rules which aren't followed in bumped
> connections.

If Squid has access to [fake or real] request headers, they should be
available to ACLs.


> In logs, immediately after bumping, I see attempts to read X-My-Header
> during cache_peer_access rules, and the header appears to always be
> empty and ACLs always evaluate to 0, although the same logs show the
> correct, expected X-My-Header later on, when forwarding the request.

I can think of two possibilities:

1. When debugging, you are looking at CONNECT transactions (rather than
HTTP requests inside bumped CONNECT tunnels) _and_ your CONNECT
transactions do not have X-My-Header.

2. It is a bug you should report.

If there is an X-My-Header in CONNECT transactions that your Squid
receives, see #2. Otherwise, see #1. You can use wireshark or Squid
ALL,2 debugging to see CONNECT headers that Squid receives.

The above assumes you are not intercepting SSL connections and are not
dynamically adding X-My-Header to the received requests.


HTH,

Alex.



More information about the squid-users mailing list