Re: about https support for transparent proxy from Alex Rousskov on 2009-06-28 (squid-dev)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Sun, 28 Jun 2009 14:18:00 -0600

On 06/28/2009 02:06 PM, Henrik Nordstrom wrote:
> fre 2009-06-26 klockan 13:00 -0600 skrev Alex Rousskov:
>
>> It looks like you are working on a useful feature, but can you
>> explain in more detail what your patch does? Why is the feature called
>> SslConnect? Is it specific to tproxy environments or can it work with
>> any transparent Squid? Does it work in combination with SslBump or are
>> they mutually exclusive?
>
> My answers from reading the patch:
>
> Not specific to TPROXY, works with normal interception as well.

Ok, but can you tell what the patch does? Forwards raw SSL connections
to the next hop, as if Squid was a TCP proxy? Something else?

> Do not work with SslBump I think. SslBump requires the CONNECT right?

I do not think so. In my tests, SslBump worked for WCCP-intercepted SSL
connections.

>> What kind of magic is going on in tunnelProxyConnectedWriteDummyDone and
>> tunnelProxyConnectedReadDone?
>
> Not entirely sure either. But it's somehow about forwarding an
> intercepted SSL connection to a parent proxy where the response from the
> parent needs to be discarded.
>
> I guess much of this is actually from our rather poor proxy CONNECT
> response processing in the tunnel code.. iirc we normally don't even try
> to touch those responses but instead relay them as part of the tunneled
> data, resulting in a 200 response logged even if the parent responded
> with an error, and no Via header added..
>
>> Why do we not care about certain
>> tunnelStart errors if SslConnect is enabled? Perhaps you can add source
>> code comments to explain your intent?
>
> Because it's relaying a SSL connection, not HTTP. So it's not possible
> to return an HTTP error message like we normally do.
>
> I guess it could be extended to respond with an SSL level error
> notification in these cases, but not sure it's worth the effort.

We should probably add a few comments such as above to the sources if
this patch is accepted.

Thank you,

Alex.
Received on Sun Jun 28 2009 - 20:47:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 30 2009 - 12:00:06 MDT