Am 2015-06-05 00:22, schrieb Amos Jeffries:
You can block by SNI in the ssl_bump checks without having bumped the
connection.
Like so:
# get the public TLS metadata (includes SNI)
ssl_bump peek all
# block based on SNI matching (or server cert matching)
acl blocked ssl::server_name .example.com
ssl_bump terminate blocked
# tunnel (no decrypting) for everything else
ssl_bump splice all
Note that you do have to allow the "CONNECT raw-IP:443 ..." requests
through http_access to the bumping logics.
that's nice. Thanks for that.
It would be nice if I could handle the blocklist on privoxy centrally
(my users want to disable the blocks occasionally and can do that
through a privoxy web interface). I tried to find out when squid is
sending "CONNECT IP:PORT" to the parent proxy in hope to manipulate it
to "CONNECT HOSTNAME:PORT". And I found it in tunnel.cc:1052
(mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url);). After some
investigating with gdb, I found the SNI hostname in this context in
tunnelState->http->getConn()->serverBump()->clientSni.c_str(). Currently
I'm testing with this patch:
--- src/tunnel.cc 2015-05-01 13:27:20.000000000 +0200
+++ src/tunnel.cc 2015-06-07 14:10:37.098895939 +0200
@@ -1049,7 +1049,13 @@
flags.proxying = tunnelState->request->flags.proxying;
MemBuf mb;
mb.init();
- mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url);
+ //use SNI hostname if it exists
+ if
(strlen(tunnelState->http->getConn()->serverBump()->clientSni.c_str()) >
1) {
+ mb.Printf("CONNECT %s:%hu HTTP/1.1\r\n",
tunnelState->http->getConn()->serverBump()->clientSni.c_str(),
tunnelState->request->port);
+ } else {
+ mb.Printf("CONNECT %s HTTP/1.1\r\n", tunnelState->url);
+ }
+
HttpStateData::httpBuildRequestHeader(tunnelState->request.getRaw(),
NULL, /* StoreEntry
*/
tunnelState->al, /*
AccessLogEntry */
This works quite well, but when privoxy blocks a "CONNECT" request,
squid doesn't understand it and the client connection is keeped open
until the client times out:
HttpMsg.cc(176) parse: HttpMsg::parse success (275 bytes) near
'HTTP/1.1 403 Request blocked by Privoxy'
tunnel.cc(459) logicError: local=xxx:42093 remote=xxx:8118 FD 17
flags=1 closing on error: unsupported CONNECT response status code
A look in tunnel.cc reveals, that it only accept HTTP 200. Thats ok, but
it would be nice to disconnect both client and parent proxy to avoid
timeouts. Do you have an idea how to disconnect the client immediately
after non HTTP 200 responses?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
