Re: Chrome auto-HTTPS-upgrade - not falling to http

Loučanský Lukáš <technik@xxxxxx> · Fri, 5 Apr 2024 14:16:09 +0200



    FYI
    Squid Object Cache: Version 6.8-VCS

        Build Info: GIT V6.8 commit 4bee0c8
    Could you please somehow elaborate how this
        seems to be working?
    acl SquidSecureConnectFail squid_error ERR_SECURE_CONNECT_FAIL

      acl SquidTLSErrorConnect ssl_error SQUID_TLS_ERR_CONNECT

    
    #tunnel all for connection errors

      on_unsupported_protocol tunnel SquidTLSErrorConnect

      on_unsupported_protocol tunnel SquidSecureConnectFail
    Is it a good or bad attempt? As I put redir.netcentrum.cz as an
      example in my first post - now it seems to just request
      TCP_MISS/200 815 GET http://redir.netcentrum.cz/?
      - ORIGINAL_DST/46.255.231.158 text/html -. I do not think my
      chrome just decided this site is http only and call it like this
      forever. I just did not see more SSL errors till yesterday . I do
      not say I haven't seen any (during some fairly short period) -
      such as SSL version errors, TLS inappropiate fallbacks, broken
      certs, no common ciphers etc. - but now I could not find a site
      that does not work (for me) - I have to ask my users. Anyway -
      squid seemed to have slight problems downloading intermediate
      certificates - to work properly - so I had to create a collection
      of several ones for myself (and some root certificates too - for
      example from MS WU site etc.) - but this could be just trouble
      with my Debian underlaying distro. (BTW I've alerady implemented
      transaction_initiator certificate-fetching acl and have
      http_access line for it)

    
    L
    
    Dne 03.04.2024 v 17:05 Alex Rousskov
      napsal(a):

    
    On
      2024-04-03 02:14, Loučanský Lukáš wrote:
      

      this has recently started me up more then
        let it go. For a while
        

        chrome is upgrading in-page links to https.
        

      Just to add two more pieces of related information to this thread:
      

      Some Squid admins report that their v6-based code does not suffer
      from this issue while their v5-based code does. I have not
      verified those reports, but there may be more to the story here.
      What Squid version are _you_ using?
      

      One way to track progress with this annoying and complex issue is
      to follow the following pull request. The current code cannot be
      officially merged as is, and I would not recommend using it in
      production (because of low-level bugs that will probably crash
      Squid in some cases), but testing it in the lab and providing
      feedback to authors may be useful:
      

      https://github.com/squid-cache/squid/pull/1668
      

      HTH,
      

      Alex.
      

      _______________________________________________
      

      squid-users mailing list
      

      squid-users@xxxxxxxxxxxxxxxxxxxxx
      

      https://lists.squid-cache.org/listinfo/squid-users
      

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users