[squid-users] ALPN, HTTP/2 and sslbump

[Amos Jeffries]

On 08/11/17 17:15, senor wrote:
> I am surprised that I didn't find this question asked and answered
> recently. Maybe this issue is newer than I realize.
> 
> I understand that support of HTTPS/2 is in development but I'd like to
> better understand what is and is not currently supported. I discovered
> the other day that an intercepted client https connection, which
> included both h2 and http/1.1 in the ALPN extension, was tunneled when
> the server responded with only h2. I'm assuming that was due to squid
> not fully supporting HTTP/2.

Hmm. If you are using SSL-Bump to bump the traffic the current Squid 
should be delivering an ALPN containing only HTTP/1.1 to the server. 
Sending h2 in the ALPN is only valid if the proxy supports h2 natively 
or intends up front to splice the transaction back to "tunneled".


> 
> My initial need is to prevent the tunnel. Preferably by forcing http/1.1
> and bumping but just denying the connection is second best. I'm not
> aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm
> thinking the external_acl is the only way to go. I think the client ALPN
> data is available at bump step 2 but what options do I have at that point?
> 
> Help or corrections to my assumptions are appreciated.
> 

Any info about your Squid version, and squid.conf contents - especially 
http_access and SSL-Bump related things would be useful. Random guesses 
about complex things like TLS are harmful to solving actual problems.

Amos