|
With 3.5.6 code, we found one thing is broken.
We used pyredir to rewrite request to a surrogated server enabled SSL connection. Also, we enable this in squid.conf: url_rewrite_host_header on We expect a request to www.foo.com is changed to www.foo-internal.com. squid sends the request with the host header rewritten by pyredir as www.foo-internal.com , but it fails connecting to the server withSSL enabled due to SNI hostname selection (it is under SSLBUMP). We did this change to get it work: --- a/squid-3.5.6/src/ssl/PeerConnector.cc +++ b/squid-3.5.6/src/ssl/PeerConnector.cc @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl() // Use SNI TLS extension only when we connect directly // to the origin server and we know the server host name. - const char *sniServer = hostName ? hostName->c_str() : - (!request->GetHostIsNumeric() ? request->GetHost() : NULL); + const char *sniServer = hostName->c_str(); + if ( request->flags.redirected && ::Config.onoff.redir_rewrites_host) { + sniServer = !request->GetHostIsNumeric() ? request->GetHost() : NULL; + } if (sniServer) { debugs(83, 5, "SNIserve " << sniServer); Ssl::setClientSNI(ssl, sniServer); Is this correct? Alex |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
