From e1241cd3d0cf3007ce0d816c093703e8e7f38217 Mon Sep 17 00:00:00 2001 From: Christos Tsantilas Date: Wed, 3 May 2017 17:43:59 +0300 Subject: [PATCH] bug4682: When client-first bumping mode is used squid can ignore http access denied Squid fails to identify HTTP requests which are tunneled inside an already established client-first bumped tunnel, and this is results to ignore http access denied for these requests. This is a Measurement Factory project --- src/client_side_request.cc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 9356429505..0f1bf1973d 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -1427,7 +1427,17 @@ ClientRequestContext::sslBumpAccessCheck() if (bumpMode != Ssl::bumpEnd) { debugs(85, 5, HERE << "SslBump already decided (" << bumpMode << "), " << "ignoring ssl_bump for " << http->getConn()); - if (!http->getConn()->serverBump()) + + // We need the following "if" for transparently bumped TLS connection, + // because in this case we are running ssl_bump access list before + // the doCallouts runs. It can be removed after the bug #4340 fixed. + // We do not want to proceed to bumping steps: + // - if the TLS connection with the client is already established + // because we are accepting normal HTTP requests on TLS port, + // or because of the client-first bumping mode + // - When the bumping is already started + if (!http->getConn()->switchedToHttps() && + !http->getConn()->serverBump()) http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection return false; -- 2.47.2