Re: about https support for transparent proxy

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Sun, 28 Jun 2009 22:06:20 +0200

fre 2009-06-26 klockan 13:00 -0600 skrev Alex Rousskov:

> It looks like you are working on a useful feature, but can you
> explain in more detail what your patch does? Why is the feature called
> SslConnect? Is it specific to tproxy environments or can it work with
> any transparent Squid? Does it work in combination with SslBump or are
> they mutually exclusive?

My answers from reading the patch:

Not specific to TPROXY, works with normal interception as well.

Do not work with SslBump I think. SslBump requires the CONNECT right?

> What kind of magic is going on in tunnelProxyConnectedWriteDummyDone and
> tunnelProxyConnectedReadDone?

Not entirely sure either. But it's somehow about forwarding an
intercepted SSL connection to a parent proxy where the response from the
parent needs to be discarded.

I guess much of this is actually from our rather poor proxy CONNECT
response processing in the tunnel code.. iirc we normally don't even try
to touch those responses but instead relay them as part of the tunneled
data, resulting in a 200 response logged even if the parent responded
with an error, and no Via header added..

> Why do we not care about certain
> tunnelStart errors if SslConnect is enabled? Perhaps you can add source
> code comments to explain your intent?

Because it's relaying a SSL connection, not HTTP. So it's not possible
to return an HTTP error message like we normally do.

I guess it could be extended to respond with an SSL level error
notification in these cases, but not sure it's worth the effort.

Regards
Henrik
Received on Sun Jun 28 2009 - 20:06:34 MDT

This archive was generated by hypermail 2.2.0 : Mon Jun 29 2009 - 12:00:06 MDT