|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 07.07.2016 19:59, Marcus Kool пишет: > > > On 07/07/2016 10:49 AM, Yuri wrote: > >>>>>>>> A similar question can be asked about SNI names containing unusual >>>>>>>> characters. At some point, it would be too dangerous to include SNI >>>>>>>> information in the fake CONNECT request because it will interfere with >>>>>>>> HTTP rules, but it is not clear where that point is exactly. >>>>>>> >>>>>>> To support the weirdest apps Squid might have to simply copy all >>>>>>> unusual characters to present the same parameter values to the server. >>>>>> >>>>>> It is being mapped into the HTTP equivalent value. Which are Host: >>>>>> header and authority-URI. Only valid FQDN names can make it through the >>>>>> mapping. >>>>> >>>>> Here things get complicated. >>>>> It is correct that Squid enforces apps to follow standards or >>>>> should Squid try to proxy connections for apps when it can? >>>> >>>> Squid isn't enforcing standards here. As Steve original messge says it: >>>> "generates a "CONNECT *.example.com:443" request based on the peeked SNI" >>>> - which is arguably invalid HTTP syntax, but oh well. >>>> >>>> It then is unable to do a DNS lookup for *.example.com to find out what >>>> its IPs are and does the error handling action for a failure to verify >>>> on a CONNECT message. >>> >>> yes, the fake CONNECT is dealt with like a regular CONNECT including >>> DNS lookup. I fear for other apps (besides the one ios app that Steve >>> refers to) to break because Squid may connect to a different IP than >>> the client/app is requesting. >>> If Squid uses the original IP to connect without doing a DNS lookup, >>> Steve's app will work and potential issues with other apps are >>> prevented. > >> Interestingly, Marcus. Does this mean that the CDN may be at different points in time different IP connection and it makes it impossible for client connections through Squid? > > It all depends on the app/client: if it uses a servername/SNI that > resolves to multiple IP addresses but needs to connect to the one > that it specifically wants to CONNECT to, the app can fail since > Squid might choose an other IP address to connect to. > > Or, apps might become slow since it might be faster when it reconnects > to the same server that it connected to before. > I think it is best to prevent issues and that Squid should connect > to the IP that the client is trying to connect to. I suggests, devs will say this is not secure. Client can be compromised etc.etc.etc. :) > > Marcus > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXfmvzAAoJENNXIZxhPexGQwMIALkYjQH8ke4R44oINkzQfqGR j5VtmMRfSlcYn82Xe7D4UzkjcGytYDiJJg+0VTsVgPxphgAcKXDP/Tx3lxTpP09e 8w3pmTU5TmgYUNvuZqheSn+Zhsp4lLUN0rj2VwIZZPueMWA6Ypre7YC7vRscEluj h9p3ZA6LTmj7NpSehWcxPKDxQdJ5HEIMRjzOyXWMJRvjwYU9s55xKYfHy5ZjSGV4 bF87d8Tg746sh+jcje6BpJBKOVNp8ImyxfjI6eFSVAjBsUpeZPa3yb2uq1LunZi1 t50q1C0P93FcqC8SipPcIM/azDEu08VrByG01x12zjgRqMVuIeMkMcvJOT3WVKY= =0ect -----END PGP SIGNATURE----- |
Attachment:
0x613DEC46.asc
Description: application/pgp-keys
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
