On 2025-05-27 10:37, Yves MARTIN wrote:
My team expects to transparently rewrite requests through squid,
replacing original URL/hostname by another target URL/host.
Main objective is to redirect original HTTPS requests triggered by
“docker pull alpine” to a local mirrored registry without obvious
information in user client that the obtained image comes from mirror:
original image location is preserved, no specific proxy or mirror
configuration in docker client/daemon to set.
To do so, we have used squid-urlrewrite and it works well for HTTP
request, even if rewrite targets HTTPS URL.
But when original request is HTTPS, connection still goes to original
URL/hostname IP address
https://github.com/rchunping/squid-urlrewrite/issues/3
According to debug logs, the original request hostname is resolved to IP
early and kept in internal context after squid-urlrewrite is invoked.
In most cases, when bumping connections from a TLS client to Squid and
from Squid to TLS server, Squid "pins" (i.e. remembers) the
Squid-to-server connection and then (re)uses that pinned connection for
all requests received on the client-to-Squid connection.
I have not checked, but speculate that rewriting request target does not
trigger opening a new Squid-to-server TLS connection and re-pinning.
IIRC, a Squid that is configured to bump during SslBump step1 does not
pin. Such a configuration is rarely usable on a modern internet, but YMMV.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
