Search squid archive

Re: cache_peer directive with SNI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yes, you are right. I ran into the same problem as you did, and now I remember how I got it to work. I manually patched the version of squid I was using to send SNI. Let me if you are interested in going that route.  If I remember right, it was just a 1 to 3 line-patch.

On Thu, Jun 23, 2016 at 5:31 AM, Kristopher Lalletti <kristopher@xxxxxxxxxxx> wrote:

Tried both and individually; nothing doing.

 

I keep getting from Squid a TCP_MISS/503 to which the client page states:

 

(54) Connection reset by peer (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: [No Error]

 

I’m currently using:

Squid Cache version 3.5.19

 

I just tried substituting the service-name (service.foo.com) in my /etc/hosts, and define cache_peer to connect to service.foo.com, and even that doesn’t work.  It appears that the cache_peer directive, when SSL is enabled does not transmit SNI.

 

I did however, manage to get it working to some degree using ssl_bump (http://wiki.squid-cache.org/Features/SslPeekAndSplice) using peek, however, I’m also doing URI filtering with squid, and this defeats the purpose to URI filtering as it only checks the requested SNI header from the end-user, and transposes the connection to the cache_peer.

 

So I’m thinking that the absence of SNI on cache_peer is a ‘bug’ or a ‘missing feature’, which I’m guessing my next viable option is to see if I can bridge the SNI gap with something like STUNNEL.

 

Anyone else have any thoughts?

 

From: Hector Chan [mailto:hectorchan@xxxxxxxxx]
Sent: June 22, 2016 1:09 AM
To: Kristopher Lalletti <kristopher@xxxxxxxxxxx>
Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: cache_peer directive with SNI

 

Have you looked at the options forceddomain and ssldomain under the cache_peer directive?  Those may be just what you need.

 

On Tue, Jun 21, 2016 at 8:14 PM, Kristopher Lalletti <kristopher@xxxxxxxxxxx> wrote:

Hi All,

I'm replacing an Apache setup as a reverse-proxy with Squid v3.5, and I've hit a small snag.

Basically, I need to tell squid to pass the proper SSL SNI name to the backend webserver which is accessed via SSL, and naturally, the SSL SNI service-name (service.foo.com) is not the server-hostname (webserver1.foo.com), because I've got 3 servers providing for that service-name.

Valid Request to my backend server:
curl --verbose --resolve service.foo.com:10.10.10.10 https://service.foo.com/

Bad requests to my backend server:
curl --verbose --header 'Host: service.foo.com' https://webserver1.foo.com/
curl --verbose https://webserver1.foo.com/
curl --verbose https://10.10.10.10/

I've looked at the configuration that was generated for the cached_peer, and it came to this:

cache_peer webserver1.foo.com parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_webserver1

Unfortunately, cached_peer doesn't seem to have any directives about this, which leads me to believe there may be a magic SSL Squid ACL that would tell the cache_peer to transpose the requested hostname as part of the SSL SNI hello message, or something like this...

Any advice/orientation to approach the problem would be much appreciated.

Cheers
Kris
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

 


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux