On 11/15/2015 01:00 PM, Yuri Voinov wrote: > 16.11.15 1:39, Alex Rousskov пишет: >> Squid currently supports two kinds of CONNECT tunnels: >> 1. A regular opaque tunnel, as intended by HTTP specifications. >> 2. An inspected tunnel containing SSL/TLS-encrypted HTTP traffic. >> Opaque tunnels are the default. Optional SslBump-related features allow >> the admin to designate admin-selected CONNECT tunnels for HTTPS >> inspections (of various depth). This distinction explains why and when >> Squid expects "HTTPS inside". >> There is currently no decent support for inspecting CONNECT tunnels >> other than SSL/TLS-encrypted HTTP (i.e., HTTPS) tunnels. >> Splicing a tunnel at SslBump step1 converts a to-be-inspected tunnel >> into an opaque tunnel before inspection starts. >> The recently added on_unsupported_protocol directive can automatically >> convert being-inspected non-HTTPS tunnels into opaque ones in some >> common cases, but it needs more work to cover more cases. >> AFAICT, you assume that "splicing" turns off all tunnel inspection. This >> is correct for step1 (as I mentioned above). This is not correct for >> other steps because they happen after some inspection already took >> place. Inspection errors that on_unsupported_protocol cannot yet handle, >> may result in connection termination and other problems. >> If Squid behavior contradicts some of the above rules, it is probably a >> bug we should fix. Otherwise, it is likely to be a missing feature. >> Finally, if Squid kills your ICQ (non-HTTPS) client tunnels, you need to >> figure out whether those connections are inspected (i.e., go beyond >> SslBump step1). If they are inspected, then this is not a Squid bug but >> a misconfiguration (unless the ACL code itself is buggy!). If they are >> not inspected, then it is probably a Squid bug. I do not have enough >> information to distinguish between those cases, but I hope that others >> on the mailing list can guide you towards a resolution given the above >> information. > I do not think it's killing them. It looks like an outgoing connection > goes to the server, and then silence - of the reaction in the log is not > there. Client hangs waiting for a response from server. Same difference. "Killing" == "breaking" == "preventing from working correctly" in this context. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
