From: Christos Tsantilas Date: Thu, 5 Mar 2015 18:59:04 +0000 (+0200) Subject: Document that on_unsupported_protocol works for bumped tunnels. X-Git-Tag: merge-candidate-3-v1~224 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56d089f3982d11906264f60fc64810c3cd8909fb;p=thirdparty%2Fsquid.git Document that on_unsupported_protocol works for bumped tunnels. --- diff --git a/src/cf.data.pre b/src/cf.data.pre index 8ef042ded1..72ee58b1f3 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1685,14 +1685,15 @@ DEFAULT: none DEFAULT_DOC: Respond with an error message to unidentifiable traffic DOC_START Determines Squid behavior when encountering strange requests at the - beginning of an accepted TCP connection. This is especially useful in - interception environments where Squid is likely to see connections for - unsupported protocols that Squid should either terminate or tunnel at - TCP level. + beginning of an accepted TCP connection or the beginning of a bumped + CONNECT tunnel. Controlling Squid reaction to unexpected traffic is + especially useful in interception environments where Squid is likely + to see connections for unsupported protocols that Squid should either + terminate or tunnel at TCP level. on_unsupported_protocol [!]acl ... - The first matching action wins. + The first matching action wins. Only fast ACLs are supported. Supported actions are: @@ -1703,9 +1704,18 @@ DOC_START for the Squid port that received the request (e.g., HTTP for connections intercepted at the http_port). This is the default. - - Currently, this directive is ignored for non-intercepted connections - because Squid cannot know what their intended destination is. + + Squid expects the following traffic patterns: + + http_port: a plain HTTP request + https_port: SSL/TLS handshake followed by an [encrypted] HTTP request + ftp_port: a plain FTP command (no on_unsupported_protocol support yet!) + CONNECT tunnel on http_port: same as https_port + CONNECT tunnel on https_port: same as https_port + + Currently, this directive has effect on intercepted connections and + bumped tunnels only. Other cases are not supported because Squid + cannot know the intended destination of other traffic. For example: # define what Squid errors indicate receiving non-HTTP traffic: