[squid-users] ssl-bump peek and select pinned destination failed

linfengfeiye linfengfeiye at qq.com
Wed Sep 20 08:17:33 UTC 2023


Hi, what does "PeerSelector186 found pinned, destination" that appears in the Squid log mean?


The log is as follows:
####################################
2023/09/20 15:49:57.086 kid1| 28,3| Checklist.cc(62) markFinished: 0x30798c8 answer ALLOWED for match
2023/09/20 15:49:57.086 kid1| 28,3| Checklist.cc(162) checkCallback: ACLChecklist::checkCallback: 0x30798c8 answer=ALLOWED
2023/09/20 15:49:57.086 kid1| 44,3| peer_select.cc(373) checkAlwaysDirectDone: ALLOWED
2023/09/20 15:49:57.086 kid1| 44,3| peer_select.cc(379) checkAlwaysDirectDone: direct = DIRECT_YES (always_direct allow)
2023/09/20 15:49:57.086 kid1| 44,7| peer_select.cc(1153) interestedInitiator: PeerSelector186
2023/09/20 15:49:57.086 kid1| 44,3| peer_select.cc(612) selectMore: GET my.local.web
2023/09/20 15:49:57.086 kid1| 44,3| peer_select.cc(1102) addSelection: adding PINNED#my.local.web
2023/09/20 15:49:57.086 kid1| 44,3| peer_select.cc(1102) addSelection: adding HIER_DIRECT#my.local.web
2023/09/20 15:49:57.086 kid1| 44,7| peer_select.cc(1153) interestedInitiator: PeerSelector186
2023/09/20 15:49:57.086 kid1| 24,7| SBuf.cc(202) append: from c-string to id SBuf79918
2023/09/20 15:49:57.086 kid1| 24,7| SBuf.cc(160) rawSpace: reserving 71 for SBuf79918
2023/09/20 15:49:57.086 kid1| 24,7| SBuf.cc(859) reAlloc: SBuf79918 new store capacity: 128
2023/09/20 15:49:57.086 kid1| 44,2| peer_select.cc(1176) handlePath: PeerSelector186 found pinned, destination #1 for https://my.local.web

#########################################################################################


The destination address https://my.local.web in this log is returned by URL-Rewrite, rewrite-url=https://my.local.web, which is a local web service of mine.But it failed directly after peer_select. I think this should be related to ssl-bump. My decryption configuration is roughly as follows.


The strange thing is that as long as I comment these two lines,


#acl step1 at_step SslBump1
#ssl_bump peek step1 all


 the pinned destination disappears and the access is successful,why?


I think this might be a squid bug?





##follows is ssl-bump config################


http_port 3126 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on options=NO_SSLv3 tls-min-version=1.2 dynamic_cert_mem_cache_size=4MB tls-cert=/os/usr/local/proxy/etc/cert.pem

http_port 3128 ssl-bump generate-host-certificates=on options=NO_SSLv3 tls-min-version=1.2 dynamic_cert_mem_cache_size=4MB tls-cert=/usr/local/proxy/etc/cert.pem
acl step1 at_step SslBump1
sslcrtd_program /os/usr/local/proxy/libexec/security_file_certgen -s /usr/local/proxy/var/lib/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump peek step1 all
ssl_bump splice white_list
ssl_bump bump bump_domain
ssl_bump bump all
http_access allow all
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20230920/1179f098/attachment.htm>


More information about the squid-users mailing list