Squid HEAD : intercept SSLBump server first + out of Squid box NAT redirection

From: Vincent Miszczak <vmiszczak_at_ankama.com>
Date: Wed, 14 Nov 2012 19:17:21 +0100

Hi guys,

I'm testing this feature, working like it should at the moment, great feature :)

For now, I've been testing with an inline Linux server using iptables redirection. Both Netfilter REDIRECT and DNAT targets make this configuration work.
My production setup won't have the Squid box inline. Another router will NAT the flows to the Squid box. I know this works for HTTP because Squid can extract the "host" information from request and contact the correct server, but will bump-server-first work if the NAT is not done by Squid box itself ?! Having looked at SSL handshake, no information is passed by the client to indicate the remote host, so for now I guess Squid get the destination IP information from Netfilter NAT mapping (The wiki says Squid don't use SNI).

Trying to look by myself, I found this correlates things above :

Ip/intercept.cc:

Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
{
                ...
                  * Try NAT lookup for REDIRECT or DNAT targets. */
    if ( getsockopt(newConn->fd, IPPROTO_IP, SO_ORIGINAL_DST, &lookup, &len) != 0) {
        if (!silent) {
            debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST) failed on " << newConn << ": " << xstrerror());
            lastReported_ = squid_curtime;
        }
        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = lookup;
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }
...
}

I'd like to know how Squid resolves the remote host when handling an intercepted server-first bumped connection, so I'll be able to setup my network accordingly.

Could some nice dev give some explanations on this/point to documentation ?

Regards,

[cid:image001.jpg_at_01CDC29A.A8E1E0E0]

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

image001.jpg
Received on Wed Nov 14 2012 - 18:17:32 MST

This archive was generated by hypermail 2.2.0 : Wed Nov 14 2012 - 12:00:07 MST