[squid-users] extract http headers from CONNECT / bumped ssl?

Alex Rousskov rousskov at measurement-factory.com
Fri Aug 25 00:16:43 UTC 2017


On 08/24/2017 06:00 PM, Aaron Turner wrote:
> So I've deployed squid in forward mode, installed the CA in my web
> clients, etc and have squid working fine for both http and https
> traffic.

Forgive me for double checking, but is SSL bumping actually working? For
example, do you see individual decrypted HTTPS requests in access.log?

What is your Squid version?


> One thing I need to do is be able to extract a http request header
> into an external_acl_type:
> 
> external_acl_type client_ip_map_0 %>{My-Custom-Client-Id}
> /usr/lib64/squid/user_loadbalance.py 0 4

That is not your actual external_acl_type line, I hope. The %>h part
looks malformed.


> This works fine for standard HTTP requests, but doesn't work for https
> queries via CONNECT.  Is there some way to configure Squid to parse
> them?

Do you need to extract My-Custom-Client-Id header field value from

* the CONNECT request itself,
* the HTTP requests inside the (bumped) CONNECT tunnel,
* or all of the above?

Is that header field actually _present_ in the request(s) you want to
extract it from? You can answer this question by analyzing packet dumps
(wireshark can decrypt SSL for you) and/or by looking at cache.log with
debug_options set to ALL,2.

If you omit the parameter and simply use %>h, does the helper get any
headers?

If you see a request with the desired header and %>h expansion lacks it,
consider filing a bug report with the relevant information.


Thank you,

Alex.


More information about the squid-users mailing list