[squid-users] Chrome auto-HTTPS-upgrade - not falling to http
David Komanek
david.komanek at natur.cuni.cz
Thu Apr 4 07:01:42 UTC 2024
> Date: Wed, 3 Apr 2024 11:05:02 -0400
> From: Alex Rousskov<rousskov at measurement-factory.com>
> To:squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Chrome auto-HTTPS-upgrade - not falling to
> http
> Message-ID:
> <e8845677-fe34-439a-9bfe-4a0b2aa3461a at measurement-factory.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 2024-04-03 02:14, Lou?ansk? Luk?? wrote:
>
>> this has recently started me up more then let it go. For a while
>> chrome is upgrading in-page links to https.
> Just to add two more pieces of related information to this thread:
>
> Some Squid admins report that their v6-based code does not suffer from
> this issue while their v5-based code does. I have not verified those
> reports, but there may be more to the story here. What Squid version are
> _you_ using?
>
> One way to track progress with this annoying and complex issue is to
> follow the following pull request. The current code cannot be officially
> merged as is, and I would not recommend using it in production (because
> of low-level bugs that will probably crash Squid in some cases), but
> testing it in the lab and providing feedback to authors may be useful:
>
> https://github.com/squid-cache/squid/pull/1668
>
> HTH,
>
> Alex.
>
>
>
Hello,
fortunately, I do not observe this problem accessing sites running only
on port 80 (no 443 at all), but my configuration is simple:
squid 6.6 as FreeBSD binary package
not much about ssl in the config file though, just passing it through,
no ssl juggling
acl SSL_ports port
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow ....
http_access allow ....
http_access allow ....
http_access allow ....
http_access allow ....
http_access deny all
I don't think it was different with squid 5.9, which I used till
November 2023.
Occasionally, I see another problem, which may or may not be related to
squid ssl handling configuration: PR_END_OF_FILE_ERROR (Firefox) /
ERR_CONNECTION_CLOSED (Chrome), typically accessing samba.org. But they
use permanent redirect from http to https, so it another situation than
http-only site.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240404/288c2b56/attachment.htm>
More information about the squid-users
mailing list