From: Christos Tsantilas Date: Mon, 29 May 2017 07:10:37 +0000 (+1200) Subject: Bug 4682: ignoring http_access deny when client-first bumping mode is used X-Git-Tag: SQUID_3_5_26~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f854068c67122934fa2dde41d041b085f3816b3;p=thirdparty%2Fsquid.git Bug 4682: ignoring http_access deny when client-first bumping mode is used Squid fails to identify HTTP requests which are tunneled inside an already established client-first bumped tunnel, and this is results in ignoring http_access denied for these requests. This is a Measurement Factory project --- diff --git a/src/client_side_request.cc b/src/client_side_request.cc index e75b757ab6..669cc16b59 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -1424,7 +1424,17 @@ ClientRequestContext::sslBumpAccessCheck() if (bumpMode != Ssl::bumpEnd) { debugs(85, 5, HERE << "SslBump already decided (" << bumpMode << "), " << "ignoring ssl_bump for " << http->getConn()); - if (!http->getConn()->serverBump()) + + // We need the following "if" for transparently bumped TLS connection, + // because in this case we are running ssl_bump access list before + // the doCallouts runs. It can be removed after the bug #4340 fixed. + // We do not want to proceed to bumping steps: + // - if the TLS connection with the client is already established + // because we are accepting normal HTTP requests on TLS port, + // or because of the client-first bumping mode + // - When the bumping is already started + if (!http->getConn()->switchedToHttps() && + !http->getConn()->serverBump()) http->sslBumpNeed(bumpMode); // for processRequest() to bump if needed and not already bumped http->al->ssl.bumpMode = bumpMode; // inherited from bumped connection return false;