[squid-users] how to avoid use http/1.0 between squid and the target

David Komanek david.komanek at natur.cuni.cz
Mon Nov 27 16:31:24 UTC 2023 

On 11/27/23 11:36, Amos Jeffries wrote:
>
> On 27/11/23 23:05, David Komanek wrote:
>>
>> On 11/27/23 10:40, Amos Jeffries wrote:
>>> On 27/11/23 22:21, David Komanek wrote:
>>>> here are the debug logs (IP addresses redacted) after connection 
>>>> attempt to https://samba.org/ :
>>>>
>>> ...
>>>> 2023/11/27 09:58:07.370 kid1| 11,2| Stream.cc(274) 
>>>> sendStartOfMessage: HTTP Client REPLY:
>>>> ---------
>>>> HTTP/1.1 400 Bad Request
>>>> Server: squid/6.5
>>>> Mime-Version: 1.0
>>>> Date: Mon, 27 Nov 2023 08:58:07 GMT
>>>> Content-Type: text/html;charset=utf-8
>>>> Content-Length: 3363
>>>> X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0
>>>> Cache-Status: pteryx.natur.cuni.cz
>>>> Via: 1.1 pteryx.natur.cuni.cz (squid/6.5)
>>>> Connection: close
>>>>
>>>> So, it seems it's not true that squid is using http/1.0, but the 
>>>> guy on the other side told me so. According to the log, do you 
>>>> think I can somehow make it working or is it definitely problem on 
>>>> the samba.org webserver?
>>>
>>>
>>> That ERR_PROTOCOL_UNKNOWN indicates that your proxy is trying to 
>>> SSL-Bump the CONNECT tunnel and not understanding the protocol 
>>> inside the TLS layer - which is expected if that protocol is HTTP/2.
>>>
>>>
>>> For now you should be able to use 
>>> <http://www.squid-cache.org/Doc/config/on_unsupported_protocol/> to 
>>> allow these tunnels. Alternatively use the "splice" action to 
>>> explicitly bypass the SSL-Bump process.
>>
>>
>> Thank you for the quick response. So I should add
>>
>> acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN
>> on_unsupported_protocol tunnel foreignProtocol
>>
>> to the squid.conf, right?
>
> At the point the error exists is too late AFAIK.
>
> I was thinking something like:
>   acl foo dstdomain samba.org
>   on_unsupported_protocol tunnel foo
>
>
>
>>
>> Still, I don't understand, why is this case handled by my browsers 
>> (or squid?) differently from usual HTTPS traffic to other sites. I 
>> suppose that plenty of sites are accepting HTTP/2 nowadays. A huge 
>> lack of knowledge on my side :-)
>
> I'm not clear exactly why you see this only now, and only with 
> samba.org. Squid not supporting HTTP/2 yet is a big part of the 
> problem though.
>
>
> Cheers
> Amos


Hello,

I managed to google some options for curl useful in this context, and it 
is quite interesting:

working: curl -vvvv --http2 -x cache.my.domain:3128 https://www.samba.org/

working: curl -vvvv --http1.1 -x cache.my.domain:3128 https://www.samba.org/

rejected by samba.org: curl -vvvv --http1.0 -x cache.my.domain:3128 
https://www.samba.org/
     this returns a simple html page with code 403:
           <html><body><h1>403 Forbidden</h1>
           Request forbidden by administrative rules.
          </body></html>

not working: chrome, firefox via proxy
    chrome returns "ERR_CONNECTION_CLOSED"
    firefox returns "PR_END_OF_FILE_ERROR"

So, it seems to me, there squid doesn't like something with the 
heavy-duty browsers in this case. Even if I disable http/2 in firefox, 
it makes no difference for me. I'm really confused.

Best regards,
David

More information about the squid-users mailing list