From: Christos Tsantilas Date: Wed, 3 May 2017 14:43:59 +0000 (+0300) Subject: bug4682: When client-first bumping mode is used squid can ignore http access X-Git-Tag: M-staged-PR71~187 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1241cd3d0cf3007ce0d816c093703e8e7f38217;p=thirdparty%2Fsquid.git bug4682: When client-first bumping mode is used squid can ignore http access denied Squid fails to identify HTTP requests which are tunneled inside an already established client-first bumped tunnel, and this is results to ignore http access denied for these requests. This is a Measurement Factory project --- diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 9356429505..0f1bf1973d 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -1427,7 +1427,17 @@ ClientRequestContext::sslBumpAccessCheck() if (bumpMode != Ssl::bumpEnd) { debugs(85, 5, HERE << "SslBump already decided (" << bumpMode << "), " << "ignoring ssl_bump for " << http->getConn()); - if (!http->getConn()->serverBump()) + + // We need the following "if" for transparently bumped TLS connection, + // because in this case we are running ssl_bump access list before + // the doCallouts runs. It can be removed after the bug #4340 fixed. + // We do not want to proceed to bumping steps: + // - if the TLS connection with the client is already established + // because we are accepting normal HTTP requests on TLS port, + // or because of the client-first bumping mode + // - When the bumping is already started + if (!http->getConn()->switchedToHttps() && + !http->getConn()->serverBump()) http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection return false;