On 08/22/2016 08:14 PM, Marcus Kool wrote: > Thanks for your reply. > I will start changing the wiki page. > When I think I am done, I will let you know for a review. It is best to commit all your intended changes at once (if at all) rather than to use the public page as a scratch pad -- folks read what you commit. > The fake CONNECT _is_ desired, but with FQDN, to I am not sure whether you are making a general/universal claim (as in "nobody needs CONNECTs without FQDN") or just documenting your particular use case. I assume it is the latter. Please note that the wiki page should focus on the general case (but may document specific use cases as well, of course). > 1) have no differences in the CONNECT information sent to > the URL rewriter in normal proxy mode and in transparent > intercept mode. You do not control what is being sent to the rewriter in a forward proxy mode. Some HTTPS clients use FQDNs, some use IP addresses. > 2) be able to filter. The url rewriter cannot filter based > on the IP address, it needs a FQDN/SNI. Some rewriters can. >> Note that CONNECTs should be sent both during step1 and during step2 by >> default. > I think I missed something. The URL rewriter on my systems only get IP > addresses, never SNI/FQDN. And never receives two CONNECTS (i.e. one > at step1 and one at step2). This is a bug or a missing feature [in your Squid?] IMHO. > Can I configure Squid to send a fake CONNECT during step2 ? It should be done automatically IIRC. > What is "during"? Each step starts with obtaining specific information (TCP client, SSL client, or SSL server) and ends with evaluating ssl_bump rules. The whole callout sequence happens in-between: http://wiki.squid-cache.org/ProgrammingGuide/Architecture?#HTTP_Request Disclaimer: This is a rough/approximate description. There may be exceptions or special cases in certain environments. > Is the CONNECT sent at the end of step2 so it can send the SNI? IIRC, it should be sent both during step1 and during step2. I believe there are rewriters that use SNI information in interception environments. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
