Search squid archive

Re: ALPN, HTTP/2 and sslbump

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/11/17 17:15, senor wrote:
I am surprised that I didn't find this question asked and answered
recently. Maybe this issue is newer than I realize.

I understand that support of HTTPS/2 is in development but I'd like to
better understand what is and is not currently supported. I discovered
the other day that an intercepted client https connection, which
included both h2 and http/1.1 in the ALPN extension, was tunneled when
the server responded with only h2. I'm assuming that was due to squid
not fully supporting HTTP/2.

Hmm. If you are using SSL-Bump to bump the traffic the current Squid should be delivering an ALPN containing only HTTP/1.1 to the server. Sending h2 in the ALPN is only valid if the proxy supports h2 natively or intends up front to splice the transaction back to "tunneled".



My initial need is to prevent the tunnel. Preferably by forcing http/1.1
and bumping but just denying the connection is second best. I'm not
aware of any squid built-in mechanisms to manage ALPN or HTTP/2 so I'm
thinking the external_acl is the only way to go. I think the client ALPN
data is available at bump step 2 but what options do I have at that point?

Help or corrections to my assumptions are appreciated.


Any info about your Squid version, and squid.conf contents - especially http_access and SSL-Bump related things would be useful. Random guesses about complex things like TLS are harmful to solving actual problems.

Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux