On 27/07/18 16:10, Gordon Hsiao wrote: > I'm running squid4.1 interception peek+splice mode. > > Some sites with HSTS(max-age=0) will not work whenever squid is on, HSTS > max-age=0 is supposed to turn off HSTS, but chrome/firefox will keep > redirecting https<-->http until it failed(too many redirects). Once > Squid is removed all is good. > > I also searched various lists and squid's website, it's still unclear to > me, for intercept proxy, can Squid deal with HSTS reliably these days? > Handle yes. Reliably no. Squid should be erasing the HSTS header completely whenever it can. The problem is that HSTS can be delivered in several ways that Squid is not in control of (spliced' traffic, non-HTTP protocols, and non-proxied connections). You have to reliably seal off those other protocols and connection types for the MITM proxy to have even a basic chance at success. FWIW: any HSTS TTL value that gets through to the server breaks things. Even though max-age=0 can be used to clear some of those other HSTS avenues, it still breaks things just by turning on the HSTS handling at the server. > A similar questions is HPKP, or the pinning certificate, can Squid 4.1 > handle that? No. While HSTS was a train wreck from day-0, HPKP is technically closer to how TLS was supposed to be used in the first place. AFAIK, the only thing you can do in the presence of client application using HPKP is splice. Server using it does not matter if the client is not checking. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
