Search squid archive

Re: Checking SSL bump status in http_access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 17/08/16 17:18, Alex Rousskov wrote:

This configuration problem should be at least partially addressed by the
upcoming annotate_transaction ACLs inserted into ssl_bump rules:
http://lists.squid-cache.org/pipermail/squid-dev/2016-July/006146.html

That looks good. When implementing this, beware the note in comment 3 of bug 4340: http://bugs.squid-cache.org/show_bug.cgi?id=4340#c3 "for transparent connections, the NotePairs instance used during the step-1 ssl_bump ACL is not the same as the instance used during the http_access ACL, but for non-transparent connections they are the same instance. The upshot is that any notes set by an external ACL when processing the ssl_bump ACL during step 1 are discarded when handling transparent connections." - It would greatly reduce the functionality of your proposed ACLs if the annotations were sometimes discarded part way through a connection or request.

Something I've been wanting to do for a while is attach a unique "connection ID" and "request ID" to requests so that: 1. An ICAP server can make decisions about the connection (e.g. how to authenticate, whether to bump, etc.) and then refer back to the data it knows/generated about the connection when it processes the requests contained within that connection. 2. When multiple ICAP requests will be generated, they can be linked together by the ICAP server - e.g. where a single request will generate a REQMOD followed by a RESPMOD it would be good for the ICAP server to know which REQMOD and RESPMOD relate to the same request.

It sounds like your annotations plan may address this to some extent. (We can probably already do some of this by having the ICAP server generate unique IDs and store them in ICAP headers to be passed along with the request, but I think the bug mentioned above would cause those headers to be discarded mid-request in some cases)

--
 - Steve Hill
   Technical Director
   Opendium    Online Safety / Web Filtering    http://www.opendium.com

   Enquiries                 Support
   ---------                 -------
   sales@xxxxxxxxxxxx        support@xxxxxxxxxxxx
   +44-1792-824568           +44-1792-825748
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux