On 17/10/18 3:15 PM, Amish wrote: > > My proposal for would be to add "-n" (nobump) option to deny_info. > > If -n is specified then squid will send 307 directly instead of 200. > > Case 1) > deny_info http://192.168.1.1/blocked.html denyit > > Return with 200 and bump it (existing behaviour) > > Case 2) > deny_info 3xx:http://192.168.1.1/blocked.html denyit > > Return with 200 and bump it (existing behaviour) > > Case 3) > deny_info -n http://192.168.1.1/blocked.html denyit > > Return with 307 Temporary Redirect and Location: header > > Case 4) > deny_info -n 302:http://192.168.1.1/blocked.html denyit > > Return with 302 Found and Location: header. > > Case 1 and 2 above applicable only for sslbump cases. > > For non-sslbump it already behaves as 3) and 4) above. > > > This would not change anything for existing users who want existing > behaviour. > > But allow people like me to *NOT* bump connection when deny_info is > activated. > IMO the deny_info is very much the wrong place to be making such decisions. Its purpose is to supply the *content* of the denial message itself. Nothing about how that message gets delivered. If anything this would be an additional ssl-bump option on the port line to say that traffic is not really being ssl-bump'ed despite the presence of the ssl-bump setting. So think about that - why bother putting "ssl-bump" on the port in the first place if the behaviour that option enables is not wanted to ever happen? If your purpose is simply to convert port 443 traffic into HTTP CONNECT for upstream software to receive there are other far simpler and more efficient software to be using for that. httptunnel being the popular one. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
