On 07/20/2015 11:28 AM, Alex Wu wrote: > With 3.5.6 code, we found one thing is broken. > > We used pyredir to rewrite request to a surrogated server enabled SSL > connection. > > Also, we enable this in squid.conf: > > url_rewrite_host_header on > > We expect a request to www.foo.com is changed to www.foo-internal.com. > > squid sends the request with the host header rewritten by pyredir as > www.foo-internal.com , but it fails connecting to the server withSSL > enabled due to SNI hostname selection (it is under SSLBUMP). We did this > change to get it work: > > --- a/squid-3.5.6/src/ssl/PeerConnector.cc > +++ b/squid-3.5.6/src/ssl/PeerConnector.cc > @@ -191,8 +194,10 @@ Ssl::PeerConnector::initializeSsl() > > // Use SNI TLS extension only when we connect directly > // to the origin server and we know the server host name. > - const char *sniServer = hostName ? hostName->c_str() : > - (!request->GetHostIsNumeric() ? > request->GetHost() : NULL); > + const char *sniServer = hostName->c_str(); > + if ( request->flags.redirected && > ::Config.onoff.redir_rewrites_host) { > + sniServer = !request->GetHostIsNumeric() ? > request->GetHost() : NULL; > + } > if (sniServer) { > debugs(83, 5, "SNIserve " << sniServer); > Ssl::setClientSNI(ssl, sniServer); > > > Is this correct? Not quite: Your code is unconditionally dereferencing hostName which might be NULL. You also seem to disable the request->GetHost() path for cases where flags.redirected && redir_rewrites_host is false. However, I am not an expert on rewrite request APIs... You may want to move this to squid-dev or Bugzilla. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users