Re: does http_port sssl-bump work require-proxy-header?

Yuhua Wu <ywu@xxxxxxxxxxxx> · Tue, 14 Apr 2015 15:14:21 -0700

I found out what is wrong, but I am not familar to squid code, so I post here to see if someone can show me the next step:

The problem is at this part of code:
void
ClientHttpRequest::sslBumpStart()
{
    debugs(85, 5, HERE << "Confirming " << Ssl::bumpMode(sslBumpNeed_) <<
           "-bumped CONNECT tunnel on FD " << getConn()->clientConnection);
    getConn()->sslBumpMode = sslBumpNeed_;

    AsyncCall::Pointer bumpCall = commCbCall(85, 5, "ClientSocketContext::sslBumpEstablish",
                                  CommIoCbPtrFun(&SslBumpEstablish, this));

    if (request->flags.interceptTproxy || request->flags.intercepted) {
        CommIoCbParams &params = GetCommParams<CommIoCbParams>(bumpCall);
        params.flag = Comm::OK;
        params.conn = getConn()->clientConnection;
        ScheduleCallHere(bumpCall);
        return;
    }

    // send an HTTP 200 response to kick client SSL negotiation
    // TODO: Unify with tunnel.cc and add a Server(?) header
    static const char *const conn_established = "HTTP/1.1 200 Connection established\r\n\r\n";
    Comm::Write(getConn()->clientConnection, conn_established, strlen(conn_established), bumpCall, NULL);
}

if require-proxy-header is not used, then request->flags.interceptTproxy is 0, and when requir-proxy-header is used, the
request->flags.interceptTproxy is 1!

since request->flags.interceptTproxy is 1, the 200 status code for CONNECT call is not sent. (The last part of code sending 200 status code is skipped.)

Any kind help?

Alex

On Tue, Apr 14, 2015 at 10:05 AM, Yuhua Wu <ywu@xxxxxxxxxxxx> wrote:
I think, in the sslbump mode, if PROXY protocol is enabled, client cannot set up the SSL tunnel with squid after CONNECT call succeeds. I remember that HAProxy will send PROXY protocol line during ssl negotiation. If squid does not parse the PROXY protocol header during SSL negotiation, this will cause the problem.

Alex

On Mon, Apr 13, 2015 at 7:56 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 14/04/2015 4:47 a.m., Yuhua Wu wrote:

> For example, is this configuration supported?

>

> http_port 3129 require-proxy-header ssl-bump ……

>

> By the way, we added acl rules:

>

> acl frontend src 10.0.0.0/8

> proxy_protocol_access allow frontend

>

> Alex

>

Yes that should work.

<http://www.squid-cache.org/Versions/v3/3.5/RELEASENOTES.html#ss2.7>

Your above config example decrypts the traffic through the following layers:

  HTTPS over HTTP/1.x over PROXY/TCP ...

As you can see the PROXY and HTTPS layers are separate protocols that

dont interact.

Amos

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users