If there are not objections I will apply this patch to squid-5 branch
On 31/03/2017 04:21 μμ, Christos Tsantilas wrote:
Hi all,
Squid does not send CONNECT request to adaptation services if the
"ssl_bump splice" rule matched at step 2. This adaptation is important
because the CONNECT request gains SNI information during the second
SslBump step. This is a regression bug, possibly caused by the Squid bug
4529 fix (trunk commits r14913 and r14914).
Notes
=====
Transparent interception vs normal proxy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For transparent CONNECT requests, the second request sent to the
adaptation service (and url-rewriter etc), uses the SNI name as hostname
in request url and Host header. This is is not true for normal CONNECT
requests.
However the user still is able to gain SNI information using
adaptation_meta. For example the following configuration line:
adaptation_meta X-SNI-Info "%ssl::>sni" all
Will send the SNI info using the X-SI-Info header to the ICAP service.
Avoid sending second CONNECT request to adaptation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The users may not want to send the second request to the adaptation
services. In this case they can use acls as follows:
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl markSpliced annotate_client spliced=true
ssl_bump peek step1
ssl_bump splice step2 markSpliced
acl markedSpliced note spliced true
adaptation_access class_reqmodifing deny markSpliced
adaptation_access class_reqmodifing allow all
This is a Measurement Factory project.
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
--
Tsantilas Christos
Network and Systems Engineer
email:[email protected]
web:http://www.chtsanti.net
Phone:+30 6977678842
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
