Forwarding the subject to the squid development list. ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: [email protected]
-----Original Message----- From: squid-users [mailto:[email protected]] On Behalf Of Craig Gowing Sent: Tuesday, February 14, 2017 12:52 PM To: [email protected] Subject: Re: [squid-users] Reverse proxy for HTTPS cloudfront server From what I can tell the SNI is not added for cache peers. In Ssl::PeerConnector::initializeSsl if "peer" is set then the call to Ssl::setClientSNI is skipped. Also the SSL context doesn't have the hostname or a callback set, and sslCreateClientContext doesn't appear to be able to set it either. I've tested with a quick patch which appears to the fix the issue: (however I feel it should take into account the forcedomain option as well) diff --git a/src/ssl/PeerConnector.cc b/src/ssl/PeerConnector.cc index f5d4c81..178c685 100644 --- a/src/ssl/PeerConnector.cc +++ b/src/ssl/PeerConnector.cc @@ -133,6 +133,7 @@ Ssl::PeerConnector::initializeSsl() if (peer) { SBuf *host = new SBuf(peer->ssldomain ? peer->ssldomain : peer->host); SSL_set_ex_data(ssl, ssl_ex_index_server, host); + Ssl::setClientSNI(ssl, host->c_str()); if (peer->sslSession) SSL_set_session(ssl, peer->sslSession); -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Reverse-proxy-for-HTTPS-cloudfront-server-tp4681533p4681542.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-dev mailing list [email protected] http://lists.squid-cache.org/listinfo/squid-dev
