On 08/23/2016 12:44 AM, Alex Rousskov wrote:
On 08/22/2016 08:14 PM, Marcus Kool wrote:
Thanks for your reply.
I will start changing the wiki page.
When I think I am done, I will let you know for a review.
It is best to commit all your intended changes at once (if at all)
rather than to use the public page as a scratch pad -- folks read what
you commit.
I am aware of this and always leave a page in a consistent state.
My knowledge of Moin Syntax and the 10-minute locks forces me to
use the preview all the time and commit once in a while.
The fake CONNECT _is_ desired, but with FQDN, to
I am not sure whether you are making a general/universal claim (as in
"nobody needs CONNECTs without FQDN") or just documenting your
particular use case. I assume it is the latter. Please note that the
wiki page should focus on the general case (but may document specific
use cases as well, of course).
1) have no differences in the CONNECT information sent to
the URL rewriter in normal proxy mode and in transparent
intercept mode.
You do not control what is being sent to the rewriter in a forward proxy
mode. Some HTTPS clients use FQDNs, some use IP addresses.
2) be able to filter. The url rewriter cannot filter based
on the IP address, it needs a FQDN/SNI.
Some rewriters can.
Note that CONNECTs should be sent both during step1 and during step2 by
default.
I think I missed something. The URL rewriter on my systems only get IP
addresses, never SNI/FQDN. And never receives two CONNECTS (i.e. one
at step1 and one at step2).
This is a bug or a missing feature [in your Squid?] IMHO.
I managed to get 2 CONNECTs to the URL rewriter by using the simplest example
from the website:
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
But the 2 CONNECTs have both an IP address.
The %ssl::>sni macro does not expand in url_rewrite_extras but
expands fine in the logformat of Squid 3.5.20.
Can we call that a bug?
Can I configure Squid to send a fake CONNECT during step2 ?
It should be done automatically IIRC.
What is "during"?
Each step starts with obtaining specific information (TCP client, SSL
client, or SSL server) and ends with evaluating ssl_bump rules. The
whole callout sequence happens in-between:
http://wiki.squid-cache.org/ProgrammingGuide/Architecture?#HTTP_Request
Disclaimer: This is a rough/approximate description. There may be
exceptions or special cases in certain environments.
Is the CONNECT sent at the end of step2 so it can send the SNI?
IIRC, it should be sent both during step1 and during step2. I believe
there are rewriters that use SNI information in interception environments.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
