Search squid archive

Squid sends 2 replies after peek/splice when using an user-agent http_access rule

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Here is a minimal squid config that demonstrates this weird issue:

  http_port 3128 ssl-bump tls-cert=/tmp/cert.pem tls-key=/tmp/key.pem

  acl regua browser .*Firefox.*
  http_access allow regua
  http_access deny all

  acl step1 at_step SslBump1
  acl step2 at_step SslBump2
  acl youtube dstdomain .youtube.com

  ssl_bump peek step1
  ssl_bump splice step2 youtube
  ssl_bump bump step2 all

With this config and using Firefox to go to https://youtube.com/,
squid replies to the CONNECT with 2 different replies, causing
an SSL_ERROR_RX_RECORD_TOO_LONG error in the browser:

  HTTP/1.1 200 Connection established
  HTTP/1.1 403 Forbidden

After reading the wiki (https://wiki.squid-cache.org/Features/SslPeekAndSplice)
I suspect this has to do with the "fake" CONNECT request, which I guess fail
to pass the http_access rule. But why would squid send 2 replies? Is this
a bug?

Adding this line:

  http_access allow step2

seems to "fix" the problem, but I'm not sure if this is the right thing to do?

Squid version is 4.6 on debian recompiled with ssl support.

Regards,

--
Gael
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux